quic: fix NULL pointer dereference in ossl_uint_set_remove()

In the range-splitting path, create_set_item() can return NULL under
memory pressure. The result was passed directly to
ossl_list_uint_set_insert_after() without a NULL check, causing an
immediate crash. This path is reachable during normal QUIC ACK
processing under memory exhaustion.

Check the allocation result before insertion and return 0 on failure.

Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type"
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
MergeDate: Thu Mar 19 19:24:09 2026
(Merged from https://github.com/openssl/openssl/pull/30490)

diff --git a/ssl/quic/uint_set.c b/ssl/quic/uint_set.c
index f81148c79af7c266ff6d2e04c9ac9c21bf4eab61..81d823e19be61c19c0b5ed273cc091f131456795 100644 (file)
--- a/ssl/quic/uint_set.c
+++ b/ssl/quic/uint_set.c
@@ -303,6 +303,8 @@ int ossl_uint_set_remove(UINT_SET *s, const UINT_RANGE *range)
              * handled by the above cases.
              */
             y = create_set_item(end + 1, z->range.end);
+            if (y == NULL)
+                return 0;
             ossl_list_uint_set_insert_after(s, z, y);
             z->range.end = start - 1;
             break;