From: Loganaden Velvindron <logan@cyberstorm.mu>
Date: Wed, 10 Jun 2026 13:18:19 +0000 (+0400)
Subject: ssl/quic/quic_ackm.c: fix use after free for apkt in ackm_on_pkts_acked()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d9e2a5797ec74a20426a6185df01d10a770ccc5;p=thirdparty%2Fopenssl.git

ssl/quic/quic_ackm.c: fix use after free for apkt in ackm_on_pkts_acked()

Store in_flight flag in a local variable for later use, as apkt->on_acked()
may free apkt.

Fixes: 427a02ad0a71 "QUIC ACKM: Don't record non-inflight packets in CC"
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Jun 21 13:55:08 2026
(Merged from https://github.com/openssl/openssl/pull/31447)
---

diff --git a/ssl/quic/quic_ackm.c b/ssl/quic/quic_ackm.c
index 3d419c478ba..d1ac3b88e9b 100644
--- a/ssl/quic/quic_ackm.c
+++ b/ssl/quic/quic_ackm.c
@@ -1003,6 +1003,7 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
     const OSSL_ACKM_TX_PKT *anext;
     QUIC_PN last_pn_acked = 0;
     OSSL_CC_ACK_INFO ainfo = { 0 };
+    unsigned int is_inflight;
 
     for (; apkt != NULL; apkt = anext) {
         if (apkt->is_inflight) {
@@ -1027,10 +1028,11 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
         ainfo.tx_time = apkt->time;
         ainfo.tx_size = apkt->num_bytes;
 
+        is_inflight = apkt->is_inflight;
         anext = apkt->anext;
         apkt->on_acked(apkt->cb_arg); /* may free apkt */
 
-        if (apkt->is_inflight)
+        if (is_inflight)
             ackm->cc_method->on_data_acked(ackm->cc_data, &ainfo);
     }
 }