Fix memory leak in ossl_uint_set_insert()

There is a missing call to OPENSSL_free() in the branch
where existing sets are merged to new range. There is
no evidence/POC OpenSSL poject is aware of the leak can
be triggered by QUIC protocol operation.

The issue has been kindly reported by Abhinav Agarwal (@abhinavagarwal07)

Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 11:28:41 2026
(Merged from https://github.com/openssl/openssl/pull/30718)

diff --git a/ssl/quic/uint_set.c b/ssl/quic/uint_set.c
index 81d823e19be61c19c0b5ed273cc091f131456795..b01110a58ef373d541b2253c755e5b3ae2641e04 100644 (file)
--- a/ssl/quic/uint_set.c
+++ b/ssl/quic/uint_set.c
@@ -174,6 +174,7 @@ int ossl_uint_set_insert(UINT_SET *s, const UINT_RANGE *range)
         for (x = ossl_list_uint_set_next(x); x != NULL; x = xnext) {
             xnext = ossl_list_uint_set_next(x);
             ossl_list_uint_set_remove(s, x);
+            OPENSSL_free(x);
         }
         return 1;
     }