From 7d76ffb2a49a2926010358a3f3e08a395715a547 Mon Sep 17 00:00:00 2001
From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 11 Oct 2023 15:40:38 +0200
Subject: [PATCH] BUG/MINOR: quic: fix qc.cids access on quic-conn fail alloc

CIDs tree is now allocated dynamically since the following commit :
  276697438d50456f92487c990f20c4d726dfdb96
  MINOR: quic: Use a pool for the connection ID tree.

This can caused a crash if qc_new_conn() is interrupted due to an
intermediary failed allocation. When freeing all connection members,
free_quic_conn_cids() is used. However, this function does not support a
NULL cids.

To fix this, simply check that cids is NULL during free_quic_conn_cids()
prologue.

This bug was reproduced using -dMfail.

No need to backport.
---
 include/haproxy/quic_conn.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/haproxy/quic_conn.h b/include/haproxy/quic_conn.h
index 5d2fbfa05..a1f72c0ef 100644
--- a/include/haproxy/quic_conn.h
+++ b/include/haproxy/quic_conn.h
@@ -209,6 +209,9 @@ static inline void free_quic_conn_cids(struct quic_conn *conn)
 {
 	struct eb64_node *node;
 
+	if (!conn->cids)
+		return;
+
 	node = eb64_first(conn->cids);
 	while (node) {
 		struct quic_connection_id *conn_id;