Setting statem.error_state more carefully

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Sat Apr 11 19:34:25 2026
(Merged from https://github.com/openssl/openssl/pull/30647)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b3de7a0982e29f675af22299b0562bb180f3b1f1..549bd7d12597ef4c20b1a76084be529c1cf60b1c 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2271,14 +2271,13 @@ static void ssl_update_error_state(SSL_CONNECTION *sc)
     if (sc == NULL)
         return;
 
-    if (sc->statem.state == MSG_FLOW_ERROR) {
+    if (sc->statem.state == MSG_FLOW_ERROR
+        && sc->statem.error_state == ERROR_STATE_NOERROR) {
         l = ERR_peek_error();
-        if (l != 0) {
-            if (ERR_GET_LIB(l) == ERR_LIB_SYS)
-                sc->statem.error_state = ERROR_STATE_SYSCALL;
-            else
-                sc->statem.error_state = ERROR_STATE_SSL;
-        }
+        if (l == 0 || ERR_GET_LIB(l) == ERR_LIB_SYS)
+            sc->statem.error_state = ERROR_STATE_SYSCALL;
+        else
+            sc->statem.error_state = ERROR_STATE_SSL;
     }
 }