Segmentation fault when using http3(quiche) to request an invalid(?) https url

[Cering]

I did this

(1) request an invalid https url and the result is failed, bacause curl: (60) SSL certificate problem: certificate has expired
(2) then use http3(with quiche) try again, a Segmentation fault happend, curl can not return error info like(1)

(1) normal request

# ./curl -v "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"

* STATE: INIT => CONNECT handle 0xdd0d48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0xdd0d48; line 1692 (connection #0)
* family0 == v4, family1 == v6
*   Trying 184.51.102.201:443...
* STATE: WAITRESOLVE => WAITCONNECT handle 0xdd0d48; line 1774 (connection #0)
* Connected to akaquic.com (184.51.102.201) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xdd0d48; line 1840 (connection #0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xdd0d48; line 1858 (connection #0)
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* multi_done
* The cache now contains 0 members
* Closing connection 0
* Expire cleared (transfer 0xdd0d48)
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

(2) http3 request

# ./curl -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"

* STATE: INIT => CONNECT handle 0x77bd48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x77bd48; line 1692 (connection #0)
* family0 == v4, family1 == v6
*   Trying 184.51.102.201:443...
* Connect socket 5 over QUIC to 184.51.102.201:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* STATE: WAITRESOLVE => WAITCONNECT handle 0x77bd48; line 1774 (connection #0)
* quiche_conn_recv() == -3
Segmentation fault

I expected the following

using gdb to locate SIGSEGV, and the stack is

(gdb) r -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"
Starting program: /data/download/curl-7.75.0/zbin/bin/curl -v --http3 "https://akaquic.com/web_example/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.2.2"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
* STATE: INIT => CONNECT handle 0x657d48; line 1646 (connection #-5000)
* Added connection 0. The cache now contains 1 members
[New Thread 0x2aaab2b16700 (LWP 8001)]
* STATE: CONNECT => WAITRESOLVE handle 0x657d48; line 1692 (connection #0)
[Thread 0x2aaab2b16700 (LWP 8001) exited]
* family0 == v4, family1 == v6
*   Trying 184.51.102.195:443...
* Connect socket 9 over QUIC to 184.51.102.195:443
* Sent QUIC client Initial, ALPN: h3-29,h3-28,h3-27
* STATE: WAITRESOLVE => WAITCONNECT handle 0x657d48; line 1774 (connection #0)
* quiche_conn_recv() == -3

Program received signal SIGSEGV, Segmentation fault.
quiche::Connection::on_timeout::hb3b1496011e1cad3 (self=0x0) at src/lib.rs:3454
3454	        if let Some(draining_timer) = self.draining_timer {
Missing separate debuginfos, use: debuginfo-install libgcc-4.8.5-16.el7_4.2.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb)
(gdb) bt
#0  quiche::Connection::on_timeout::hb3b1496011e1cad3 (self=0x0) at src/lib.rs:3454
#1  0x00002aaaaba619cb in quiche_conn_on_timeout (conn=0x0) at src/ffi.rs:701
#2  0x00002aaaaad79d1a in process_ingress (data=0x657d48, sockfd=9, qs=0x656e10) at vquic/quiche.c:364
#3  0x00002aaaaad79c47 in Curl_quic_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, done=0x7fffffffddc7) at vquic/quiche.c:336
#4  0x00002aaaaacf7302 in Curl_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, connected=0x7fffffffddc7) at connect.c:901
#5  0x00002aaaaad3426f in multi_runsingle (multi=0x656998, nowp=0x7fffffffdf10, data=0x657d48) at multi.c:1822
#6  0x00002aaaaad35630 in curl_multi_perform (multi=0x656998, running_handles=0x7fffffffdf64) at multi.c:2412
#7  0x00002aaaaad063c7 in easy_transfer (multi=0x656998) at easy.c:606
#8  0x00002aaaaad065f0 in easy_perform (data=0x657d48, events=false) at easy.c:696
#9  0x00002aaaaad0663a in curl_easy_perform (data=0x657d48) at easy.c:715
#10 0x000000000041b446 in serial_transfers (global=0x7fffffffe180, share=0x653748) at tool_operate.c:2326
#11 0x000000000041b8ba in run_all_transfers (global=0x7fffffffe180, share=0x653748, result=CURLE_OK) at tool_operate.c:2504
#12 0x000000000041bbdc in operate (global=0x7fffffffe180, argc=4, argv=0x7fffffffe2e8) at tool_operate.c:2620
#13 0x0000000000411efc in main (argc=4, argv=0x7fffffffe2e8) at tool_main.c:277

frame #2 process_ingress() passed qs->conn to quiche's method quiche_conn_on_timeout()
and the qs is from conn->hequic, but both quicsocket in conn->hequic is invalid

(gdb) frame 3
#3  0x00002aaaaad79c47 in Curl_quic_is_connected (data=0x657d48, conn=0x656d78, sockindex=0, done=0x7fffffffddc7) at vquic/quiche.c:336
336	  result = process_ingress(data, sockfd, qs);
(gdb) p conn->hequic
$1 = {{cfg = 0x0, conn = 0x0, h3c = 0x0, h3config = 0x0, scid = "+\n\006E\353s\342\004\362\235N\306\362\266\063\353\260\177\311p", sockfd = 9, version = 0}, {cfg = 0x0,
    conn = 0x0, h3c = 0x0, h3config = 0x0, scid = '\000' <repeats 19 times>, sockfd = 0, version = 0}}

curl/libcurl version

curl 7.75.0 (x86_64-pc-linux-gnu) libcurl/7.75.0 BoringSSL zlib/1.2.7 quiche/0.6.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS Debug HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TrackMemory UnixSockets

operating system

Linux centos7.virtual 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[bagder]

I tried it with current curl in git with current quiche from git (0.7.0) and I can reproduce a crash, even if I seem to get a slightly different stack trace.

[bagder]

I ran into issues when I tried to rebuild quiche and now I can't do it anymore. I've filed an issue over there cloudflare/quiche#863 and will come back here once I can build quiche again! 😢