From: Sunwoo Lee <sunwoolee@kentech.ac.kr>
Date: Fri, 27 Mar 2026 23:58:41 +0000 (+0900)
Subject: quic: remove unused scid from port_default_packet_handler
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=275dab58f07deb08e148e954c096a6d005e2c548;p=thirdparty%2Fopenssl.git

quic: remove unused scid from port_default_packet_handler

  Remove the scid variable entirely from port_default_packet_handler()
  and all functions that accept it as a parameter. The scid was never
  used meaningfully — cur_remote_dcid is set later during the handshake.

  Remove scid parameter from:
    - port_bind_channel()
    - port_validate_token()
    - ossl_quic_channel_on_new_conn()
    - ossl_quic_bind_channel()
    - ch_on_new_conn_common()

  Remove the cur_remote_dcid = *peer_scid assignment in
  ch_on_new_conn_common() as it wrote dead data.

  CWE-457

  Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>

  CLA: trivial

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr  8 10:21:55 2026
(Merged from https://github.com/openssl/openssl/pull/30611)
---

diff --git a/include/internal/quic_channel.h b/include/internal/quic_channel.h
index 147642d0fb5..1cfd6495b0e 100644
--- a/include/internal/quic_channel.h
+++ b/include/internal/quic_channel.h
@@ -297,7 +297,6 @@ void ossl_quic_channel_on_new_conn_id(QUIC_CHANNEL *ch,
 
 /* Temporarily exposed during QUIC_PORT transition. */
 int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *peer_scid,
     const QUIC_CONN_ID *peer_dcid);
 
 /* For use by QUIC_PORT. You should not need to call this directly. */
@@ -540,8 +539,7 @@ uint64_t ossl_quic_channel_get_active_conn_id_limit_request(const QUIC_CHANNEL *
 uint64_t ossl_quic_channel_get_active_conn_id_limit_peer_request(const QUIC_CHANNEL *ch);
 
 int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid,
-    const QUIC_CONN_ID *odcid);
+    const QUIC_CONN_ID *dcid, const QUIC_CONN_ID *odcid);
 
 void ossl_quic_channel_set_tcause(QUIC_CHANNEL *ch, uint64_t app_error_code,
     const char *app_reason);
diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index ab33e66efd4..fe819b4b2f6 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -3672,7 +3672,6 @@ static void ch_on_idle_timeout(QUIC_CHANNEL *ch)
  * @return         1 on success, 0 on failure to set required elements.
  */
 static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *peer_scid,
     const QUIC_CONN_ID *peer_dcid,
     const QUIC_CONN_ID *peer_odcid)
 {
@@ -3681,7 +3680,6 @@ static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
         return 0;
 
     ch->init_dcid = *peer_dcid;
-    ch->cur_remote_dcid = *peer_scid;
     ch->odcid.id_len = 0;
 
     if (peer_odcid != NULL)
@@ -3725,7 +3723,6 @@ static int ch_on_new_conn_common(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
 
 /* Called when we, as a server, get a new incoming connection. */
 int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *peer_scid,
     const QUIC_CONN_ID *peer_dcid)
 {
     if (!ossl_assert(ch->state == QUIC_CHANNEL_STATE_IDLE && ch->is_server))
@@ -3735,7 +3732,7 @@ int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
     if (!ossl_quic_lcidm_generate_initial(ch->lcidm, ch, &ch->cur_local_cid))
         return 0;
 
-    return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, NULL);
+    return ch_on_new_conn_common(ch, peer, peer_dcid, NULL);
 }
 
 /**
@@ -3762,7 +3759,6 @@ int ossl_quic_channel_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
  *         met (e.g., channel is not idle or not a server, or binding fails).
  */
 int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *peer_scid,
     const QUIC_CONN_ID *peer_dcid,
     const QUIC_CONN_ID *peer_odcid)
 {
@@ -3781,7 +3777,7 @@ int ossl_quic_bind_channel(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
      * peer_odcid <=> is initial dst conn id chosen by peer in its
      * first initial packet we received without token.
      */
-    return ch_on_new_conn_common(ch, peer, peer_scid, peer_dcid, peer_odcid);
+    return ch_on_new_conn_common(ch, peer, peer_dcid, peer_odcid);
 }
 
 SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index c6184623bc5..5b891581dc6 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -810,7 +810,7 @@ static void port_rx_pre(QUIC_PORT *port)
  * to *new_ch.
  */
 static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
-    const QUIC_CONN_ID *scid, const QUIC_CONN_ID *dcid,
+    const QUIC_CONN_ID *dcid,
     const QUIC_CONN_ID *odcid, OSSL_QRX *qrx,
     QUIC_CHANNEL **new_ch)
 {
@@ -860,7 +860,7 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
          * See RFC 9000 s. 8.1
          */
         ossl_quic_tx_packetiser_set_validated(ch->txp);
-        if (!ossl_quic_bind_channel(ch, peer, scid, dcid, odcid)) {
+        if (!ossl_quic_bind_channel(ch, peer, dcid, odcid)) {
             ossl_quic_channel_free(ch);
             return;
         }
@@ -869,7 +869,7 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
          * No odcid means we didn't do server validation, so we need to
          * generate a cid via ossl_quic_channel_on_new_conn
          */
-        if (!ossl_quic_channel_on_new_conn(ch, peer, scid, dcid)) {
+        if (!ossl_quic_channel_on_new_conn(ch, peer, dcid)) {
             ossl_quic_channel_free(ch);
             return;
         }
@@ -1416,8 +1416,7 @@ static void port_send_version_negotiation(QUIC_PORT *port, BIO_ADDR *peer,
  *   configurable in the future.
  */
 static int port_validate_token(QUIC_PKT_HDR *hdr, QUIC_PORT *port,
-    BIO_ADDR *peer, QUIC_CONN_ID *odcid,
-    QUIC_CONN_ID *scid, uint8_t *gen_new_token)
+    BIO_ADDR *peer, QUIC_CONN_ID *odcid, uint8_t *gen_new_token)
 {
     int ret = 0;
     QUIC_VALIDATION_TOKEN token = { 0 };
@@ -1477,11 +1476,9 @@ static int port_validate_token(QUIC_PKT_HDR *hdr, QUIC_PORT *port,
                 != 0)
             goto err;
         *odcid = token.odcid;
-        *scid = token.rscid;
     } else {
         if (!ossl_quic_lcidm_get_unused_cid(port->lcidm, odcid))
             goto err;
-        *scid = hdr->src_conn_id;
     }
 
     /*
@@ -1570,7 +1567,7 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
     PACKET pkt;
     QUIC_PKT_HDR hdr;
     QUIC_CHANNEL *ch = NULL, *new_ch = NULL;
-    QUIC_CONN_ID odcid, scid;
+    QUIC_CONN_ID odcid;
     uint8_t gen_new_token = 0;
     OSSL_QRX *qrx = NULL;
     OSSL_QRX *qrx_src = NULL;
@@ -1720,8 +1717,7 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
      */
     if (hdr.token != NULL
         && port_validate_token(&hdr, port, &e->peer,
-               &odcid, &scid,
-               &gen_new_token)
+               &odcid, &gen_new_token)
             == 0) {
         /*
          * RFC 9000 s 8.1.3
@@ -1754,7 +1750,7 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
         qrx = NULL;
     }
 
-    port_bind_channel(port, &e->peer, &scid, &hdr.dst_conn_id,
+    port_bind_channel(port, &e->peer, &hdr.dst_conn_id,
         &odcid, qrx, &new_ch);
 
     /*