Fix null derefs in ossl_quic_new_listener on mfail

This is caused incorrect err cleanup of mutex even if ql does not exist
(allocation failed).

It also fixes missing freeing of ports that result in assertion failure
because engine port list is not empty.

Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Thu May 21 08:52:14 2026
(Merged from https://github.com/openssl/openssl/pull/31112)

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 0d3c0fb3c5da1077054af753dd64051bd69ecbaf..3e2303e7fe451759f7a2f0f1778ed90b8ccee226 100644 (file)
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4685,7 +4685,7 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
 
     if ((ql = OPENSSL_zalloc(sizeof(*ql))) == NULL) {
         QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_CRYPTO_LIB, NULL);
-        goto err;
+        return NULL;
     }
 
 #if defined(OPENSSL_THREADS)
@@ -4733,8 +4733,8 @@ SSL *ossl_quic_new_listener(SSL_CTX *ctx, uint64_t flags)
     return &ql->obj.ssl;
 
 err:
-    if (ql != NULL)
-        ossl_quic_engine_free(ql->engine);
+    ossl_quic_port_free(ql->port);
+    ossl_quic_engine_free(ql->engine);
 
 #if defined(OPENSSL_THREADS)
     ossl_crypto_mutex_free(&ql->mutex);