From: huanghuihui0904 <625173@qq.com>
Date: Mon, 16 Mar 2026 07:16:21 +0000 (+0800)
Subject: ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bbeade53ddd1f2fce73485207f9dd752fea68f4a;p=thirdparty%2Fopenssl.git

ssl/statem/statem_dtls.c: fix leak in dtls1_buffer_message()

pqueue_insert() may fail, but its return value was not checked. This could leak the allocated pitem and handshake fragment. Free them when insertion fails, using pitem_free() for proper cleanup.

Solves https://github.com/openssl/openssl/issues/30442

Fixes #30442

Signed-off-by: huanghuihui0904 <625173@qq.com>

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 23:11:54 2026
(Merged from https://github.com/openssl/openssl/pull/30443)
---

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 1644c6e47c6..860d4c1c005 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -1262,7 +1262,11 @@ int dtls1_buffer_message(SSL_CONNECTION *s, int is_ccs)
         return 0;
     }
 
-    pqueue_insert(s->d1->sent_messages, item);
+    if (pqueue_insert(s->d1->sent_messages, item) == NULL) {
+        dtls1_hm_fragment_free(frag);
+        pitem_free(item);
+        return 0;
+    }
     return 1;
 }