From 58b7a72d0701310933d7d52549bdfd40ff14e273 Mon Sep 17 00:00:00 2001 From: Amaury Denoyelle Date: Wed, 2 Oct 2024 10:21:02 +0200 Subject: [PATCH] BUG/MINOR: mux-quic: fix crash on qcc_init() early return qcc_release() may be used in case qcc_init() cannot complete. In this case, connection instance is NULL. As such, it cannot be dereferenced without testing it first. This should fix github coverity report #2739. No backport needed. --- src/mux_quic.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/src/mux_quic.c b/src/mux_quic.c index 09f88334905ef..8b46580757e7c 100644 --- a/src/mux_quic.c +++ b/src/mux_quic.c @@ -2626,7 +2626,7 @@ static void qcc_release(struct qcc *qcc) { struct connection *conn = qcc->conn; struct eb64_node *node; - struct quic_conn *qc = conn->handle.qc; + struct quic_conn *qc; TRACE_ENTER(QMUX_EV_QCC_END, conn); @@ -2644,11 +2644,14 @@ static void qcc_release(struct qcc *qcc) } /* unsubscribe from all remaining qc_stream_desc */ - node = eb64_first(&qc->streams_by_id); - while (node) { - struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id); - qc_stream_desc_sub_room(stream, NULL); - node = eb64_next(node); + if (conn) { + qc = conn->handle.qc; + node = eb64_first(&qc->streams_by_id); + while (node) { + struct qc_stream_desc *stream = eb64_entry(node, struct qc_stream_desc, by_id); + qc_stream_desc_sub_room(stream, NULL); + node = eb64_next(node); + } } tasklet_free(qcc->wait_event.tasklet);