From: Alexandr Nedvedicky <sashan@openssl.org>
Date: Wed, 8 Apr 2026 09:55:24 +0000 (+0200)
Subject: Fix memory leak in ossl_uint_set_insert()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4079c804ffaf363c8723c2589308e43888df820;p=thirdparty%2Fopenssl.git

Fix memory leak in ossl_uint_set_insert()

There is a missing call to OPENSSL_free() in the branch
where existing sets are merged to new range. There is
no evidence/POC OpenSSL poject is aware of the leak can
be triggered by QUIC protocol operation.

The issue has been kindly reported by Abhinav Agarwal (@abhinavagarwal07)

Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type"

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 11:28:41 2026
(Merged from https://github.com/openssl/openssl/pull/30718)
---

diff --git a/ssl/quic/uint_set.c b/ssl/quic/uint_set.c
index 81d823e19be..b01110a58ef 100644
--- a/ssl/quic/uint_set.c
+++ b/ssl/quic/uint_set.c
@@ -174,6 +174,7 @@ int ossl_uint_set_insert(UINT_SET *s, const UINT_RANGE *range)
         for (x = ossl_list_uint_set_next(x); x != NULL; x = xnext) {
             xnext = ossl_list_uint_set_next(x);
             ossl_list_uint_set_remove(s, x);
+            OPENSSL_free(x);
         }
         return 1;
     }