[FIXED] Nil account panic in processLeafNodeConnect

umut-polat · neilalexander · commit c971de04af6c · 2026-04-08T11:36:01.000+01:00
When a leafnode connection is closed during authentication (e.g. auth timeout), the account may not have been set on the client yet. If processLeafNodeConnect continues to run after the connection was closed, it dereferences c.acc in registerLeafNodeCluster, causing a nil pointer panic. Add a nil check for the account before proceeding, consistent with other code paths in the same file (initLeafNodeSmapAndSendSubs, checkJetStreamExportReconcile) that already guard against this. Add a test that races a CONNECT with an expired auth timeout to exercise the guard. Resolves #7989 Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com>
diff --git a/server/leafnode.go b/server/leafnode.go
@@ -2158,6 +2158,13 @@ func (c *client) processLeafNodeConnect(s *Server, arg []byte, lang string) erro
 	acc := c.acc
 	c.mu.Unlock()
 
+	// If the account is not set (e.g. connection was closed due to auth
+	// timeout while still being processed), bail out to avoid a panic.
+	if acc == nil {
+		c.closeConnection(MissingAccount)
+		return ErrMissingAccount
+	}
+
 	// Register the cluster, even if empty, as long as we are acting as a hub.
 	if !proto.Hub {
 		acc.registerLeafNodeCluster(proto.Cluster)
diff --git a/server/leafnode_test.go b/server/leafnode_test.go
@@ -12160,3 +12160,51 @@ func TestLeafNodeNoAccPanicOnLeafSubBeforeConnectOperatorMode(t *testing.T) {
 		t.Fatal("Server should not have shutdown")
 	}
 }
+
+func TestLeafNodeNoAccPanicOnProcessLeafNodeConnect(t *testing.T) {
+	o := DefaultOptions()
+	o.LeafNode.Port = -1
+	o.LeafNode.AuthTimeout = 0.001 // Very short auth timeout (1ms)
+	s := RunServer(o)
+	defer s.Shutdown()
+
+	addr := fmt.Sprintf("127.0.0.1:%d", o.LeafNode.Port)
+	c, err := net.Dial("tcp", addr)
+	require_NoError(t, err)
+	defer c.Close()
+
+	// Read the INFO.
+	br := bufio.NewReader(c)
+	c.SetReadDeadline(time.Now().Add(2 * time.Second))
+	l, _, err := br.ReadLine()
+	require_NoError(t, err)
+	if !strings.HasPrefix(string(l), "INFO") {
+		t.Fatalf("Expected INFO, got %q", l)
+	}
+
+	// Wait for the auth timeout to fire, then send CONNECT with cluster.
+	// This races with the auth timeout closing the connection, which is
+	// the scenario from #7989 where c.acc ends up nil.
+	time.Sleep(5 * time.Millisecond)
+
+	connect := `CONNECT {"verbose":false,"pedantic":false,"cluster":"test-cluster"}`
+	c.Write([]byte(connect + "\r\n"))
+
+	// The server should close the connection without panicking.
+	c.SetReadDeadline(time.Now().Add(2 * time.Second))
+	buf := make([]byte, 256)
+	for {
+		_, err = c.Read(buf)
+		if err != nil {
+			break
+		}
+	}
+
+	// Make sure the server is still running (not panicked).
+	s.mu.Lock()
+	shutdown := s.isShuttingDown()
+	s.mu.Unlock()
+	if shutdown {
+		t.Fatal("Server should not have shutdown")
+	}
+}
