From: Sunwoo Lee <sunwoolee@kentech.ac.kr>
Date: Fri, 27 Mar 2026 23:22:02 +0000 (+0900)
Subject: quic: fix channel leak when ossl_quic_provide_initial_secret fails
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00df8afc0132ee603004a967a78f5968eb235697;p=thirdparty%2Fopenssl.git

quic: fix channel leak when ossl_quic_provide_initial_secret fails

  In port_bind_channel(), when ossl_quic_provide_initial_secret()
  fails, the function returns without freeing the QUIC_CHANNEL
  that was just created by port_make_channel(). The caller sees
  new_ch == NULL and cannot free it, leaking the channel and all
  its sub-allocations (QRX, QTX, TXP, ACKM).

  Add ossl_quic_channel_free(ch) before the early return, matching
  the cleanup pattern already used by the other error paths in the
  same function (lines 864, 873).

  CWE-401

  Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>

  CLA: trivial

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 10:44:51 2026
(Merged from https://github.com/openssl/openssl/pull/30612)
---

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 5b891581dc6..644b4e0fe55 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -850,8 +850,10 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
         if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
                 ch->port->engine->propq,
                 dcid, /* is_server */ 1,
-                ch->qrx, NULL))
+                ch->qrx, NULL)) {
+            ossl_quic_channel_free(ch);
             return;
+        }
 
     if (odcid->id_len != 0) {
         /*