From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sun, 12 Oct 2025 13:28:08 +0000 (+0800)
Subject: quic: free popped incoming channel on early exit in accept_connection
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d62febf758fafdfa90a599df2028cbe1b5d52f2a;p=thirdparty%2Fopenssl.git

quic: free popped incoming channel on early exit in accept_connection

If we pop a channel but fail to extract or adopt its SSL pointer,
we return without releasing the channel. Add a small cleanup at
the function epilogue to free new_ch when conn_ssl is NULL.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 12 18:54:05 2026
(Merged from https://github.com/openssl/openssl/pull/28920)
---

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 87c1370a8d6..46a34a10631 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4800,6 +4800,11 @@ SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags)
     }
 
 out:
+    if (conn_ssl == NULL && new_ch != NULL) {
+        ossl_quic_channel_free(new_ch);
+        new_ch = NULL;
+    }
+
     qctx_unlock(&ctx);
     return conn_ssl;
 }