From: Abhinav Agarwal Date: Thu, 2 Apr 2026 05:58:30 +0000 (-0700) Subject: quic: fix NULL deref in ossl_quic_new_from_listener() X-Git-Tag: openssl-4.0.0~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fd54c6b915b366b639baf7e8e1c35f6eee6b3eea;p=thirdparty%2Fopenssl.git quic: fix NULL deref in ossl_quic_new_from_listener() ossl_quic_port_create_outgoing() can return NULL under memory pressure. The result was used immediately by ossl_quic_channel_set_msg_callback() without a NULL check, causing a crash on the SSL_new_from_listener() API path. The correct pattern already exists in create_channel() (same file): check the return value and raise a non-normal error before jumping to cleanup. Apply the same pattern here. Fixes: 0b15147a37c ("Implement SSL_new_from_listener()") Signed-off-by: Abhinav Agarwal Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz MergeDate: Fri Apr 3 15:46:54 2026 (Merged from https://github.com/openssl/openssl/pull/30667) (cherry picked from commit 1d2d30377017457926616c160258d32b5e963f6c) --- diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index ea764300093..acb9551b360 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -4562,6 +4562,10 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags) * to grab reference for qc. */ qc->ch = ossl_quic_port_create_outgoing(qc->port, qc->tls); + if (qc->ch == NULL) { + QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL); + goto err; + } ossl_quic_channel_set_msg_callback(qc->ch, ql->obj.ssl.ctx->msg_callback, &qc->obj.ssl); ossl_quic_channel_set_msg_callback_arg(qc->ch, ql->obj.ssl.ctx->msg_callback_arg);