Fix NULL dereference in QUIC address validation

QUIC server crashes when address validation (RFC 9000, Section 8.1)
is disabled and client sends initial packet with invalid token.

Issue reported and fix submitted by Sunwoo Lee (KENTECH),
Hyuk Lim (KENTECH) and Seunghyun Yoon (KENTECH)

Fixes CVE-2026-42764

Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 14:50:48 2026

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index e29e4bcf74be9c0aad3dc297a3373039493accf7..9115143f528fe3c346181659653df12c4d9f410d 100644 (file)
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -1799,8 +1799,10 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
          * forget qrx so channel can create a new one
          * with valid initial encryption level keys.
          */
-        qrx_src = qrx;
-        qrx = NULL;
+        if (qrx != NULL) {
+            qrx_src = qrx;
+            qrx = NULL;
+        }
     }
 
     port_bind_channel(port, &e->peer, &hdr.dst_conn_id,