ssl/quic/quic_ackm.c: fix use after free for apkt in ackm_on_pkts_acked()

Store in_flight flag in a local variable for later use, as apkt->on_acked()
may free apkt.

Fixes: 427a02ad0a71 "QUIC ACKM: Don't record non-inflight packets in CC"
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Jun 21 13:55:08 2026
(Merged from https://github.com/openssl/openssl/pull/31447)

diff --git a/ssl/quic/quic_ackm.c b/ssl/quic/quic_ackm.c
index 3d419c478ba3b8926b65f68904696b71250b6e69..d1ac3b88e9bf55bd99517086560fa2f96b71ce37 100644 (file)
--- a/ssl/quic/quic_ackm.c
+++ b/ssl/quic/quic_ackm.c
@@ -1003,6 +1003,7 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
     const OSSL_ACKM_TX_PKT *anext;
     QUIC_PN last_pn_acked = 0;
     OSSL_CC_ACK_INFO ainfo = { 0 };
+    unsigned int is_inflight;
 
     for (; apkt != NULL; apkt = anext) {
         if (apkt->is_inflight) {
@@ -1027,10 +1028,11 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
         ainfo.tx_time = apkt->time;
         ainfo.tx_size = apkt->num_bytes;
 
+        is_inflight = apkt->is_inflight;
         anext = apkt->anext;
         apkt->on_acked(apkt->cb_arg); /* may free apkt */
 
-        if (apkt->is_inflight)
+        if (is_inflight)
             ackm->cc_method->on_data_acked(ackm->cc_data, &ainfo);
     }
 }