quic: fix NULL deref in ossl_quic_new_from_listener()

ossl_quic_port_create_outgoing() can return NULL under memory pressure.
The result was used immediately by ossl_quic_channel_set_msg_callback()
without a NULL check, causing a crash on the SSL_new_from_listener()
API path.

The correct pattern already exists in create_channel() (same file): check
the return value and raise a non-normal error before jumping to cleanup.
Apply the same pattern here.

Fixes: 0b15147a37c ("Implement SSL_new_from_listener()")
Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Fri Apr  3 15:46:54 2026
(Merged from https://github.com/openssl/openssl/pull/30667)

(cherry picked from commit 1d2d30377017457926616c160258d32b5e963f6c)

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index ea764300093d437f99bef1fad67691b5735d9dcd..acb9551b360555a1694c1c7eb0a6fe3faed76f9b 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4562,6 +4562,10 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
      * to grab reference for qc.
      */
     qc->ch = ossl_quic_port_create_outgoing(qc->port, qc->tls);
+    if (qc->ch == NULL) {
+        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
+        goto err;
+    }
 
     ossl_quic_channel_set_msg_callback(qc->ch, ql->obj.ssl.ctx->msg_callback, &qc->obj.ssl);
     ossl_quic_channel_set_msg_callback_arg(qc->ch, ql->obj.ssl.ctx->msg_callback_arg);