Fix SSL_SESSION leak in tls_parse_ctos_psk() on ticket error paths

Two early 'return 0' statements bypass the err: label cleanup that
calls SSL_SESSION_free(sess). When tls_decrypt_ticket() allocates an
SSL_SESSION but the decrypt_ticket_cb returns ABORT, the session is
leaked. Replace 'return 0' with 'goto err' so the existing cleanup
handles it.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed May 20 14:38:01 2026
(Merged from https://github.com/openssl/openssl/pull/30464)

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index de09706ab6783e3c3458f160eb7f31296456c4f0..0460cd79e7374b4443d1deeaf54c3ea7cd990283 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1461,13 +1461,13 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
 
             if (ret == SSL_TICKET_EMPTY) {
                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
-                return 0;
+                goto err;
             }
 
             if (ret == SSL_TICKET_FATAL_ERR_MALLOC
                 || ret == SSL_TICKET_FATAL_ERR_OTHER) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
-                return 0;
+                goto err;
             }
             if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT)
                 continue;