From: Alexandr Nedvedicky <sashan@openssl.org>
Date: Tue, 12 May 2026 14:12:40 +0000 (+0200)
Subject: Fix NULL dereference in QUIC address validation
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=5097ec4dae239112498abb722e255ea60ef7ac48;p=thirdparty%2Fopenssl.git

Fix NULL dereference in QUIC address validation

QUIC server crashes when address validation (RFC 9000, Section 8.1)
is disabled and client sends initial packet with invalid token.

Issue reported and fix submitted by Sunwoo Lee (KENTECH),
Hyuk Lim (KENTECH) and Seunghyun Yoon (KENTECH)

Fixes CVE-2026-42764

Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon Jun  8 14:50:48 2026
---

diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index e29e4bcf74b..9115143f528 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -1799,8 +1799,10 @@ static void port_default_packet_handler(QUIC_URXE *e, void *arg,
          * forget qrx so channel can create a new one
          * with valid initial encryption level keys.
          */
-        qrx_src = qrx;
-        qrx = NULL;
+        if (qrx != NULL) {
+            qrx_src = qrx;
+            qrx = NULL;
+        }
     }
 
     port_bind_channel(port, &e->peer, &hdr.dst_conn_id,