quic: fix channel leak when ossl_quic_provide_initial_secret fails

  In port_bind_channel(), when ossl_quic_provide_initial_secret()
  fails, the function returns without freeing the QUIC_CHANNEL
  that was just created by port_make_channel(). The caller sees
  new_ch == NULL and cannot free it, leaking the channel and all
  its sub-allocations (QRX, QTX, TXP, ACKM).

  Add ossl_quic_channel_free(ch) before the early return, matching
  the cleanup pattern already used by the other error paths in the
  same function (lines 864, 873).

  CWE-401

  Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
  CLA: trivial

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 10:44:51 2026
(Merged from https://github.com/openssl/openssl/pull/30612)

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 5b891581dc640b99bd8b7ac46fe707a2383e81b1..644b4e0fe55b5792ca3283596d8f79944445c9a3 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -850,8 +850,10 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
         if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
                 ch->port->engine->propq,
                 dcid, /* is_server */ 1,
-                ch->qrx, NULL))
+                ch->qrx, NULL)) {
+            ossl_quic_channel_free(ch);
             return;
+        }
 
     if (odcid->id_len != 0) {
         /*