From: Jakub Zelenka Date: Thu, 28 May 2026 17:13:01 +0000 (+0200) Subject: quic: fix keyslot cctx leak by not checking EL state in teardown X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b084b6ebbf642f237c9f40d9b242aed90482bf20;p=thirdparty%2Fopenssl.git quic: fix keyslot cctx leak by not checking EL state in teardown el_teardown_keyslot() decided whether to free a keyslot by calling ossl_qrl_enc_level_set_has_keyslot() against the EL's current state. On error paths the state does not yet match the slots that were provisioned, so the check returned 0 and the cctx and iv were leaked. The fix drops the state check and rely on the existing cctx != NULL check which is sufficient for all callers of el_teardown_keyslot(). Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Saša Nedvědický MergeDate: Mon Jun 1 07:32:33 2026 (Merged from https://github.com/openssl/openssl/pull/31323) --- diff --git a/ssl/quic/quic_record_shared.c b/ssl/quic/quic_record_shared.c index e40a604e0d3..ccc6f2901bf 100644 --- a/ssl/quic/quic_record_shared.c +++ b/ssl/quic/quic_record_shared.c @@ -87,9 +87,6 @@ static void el_teardown_keyslot(OSSL_QRL_ENC_LEVEL_SET *els, { OSSL_QRL_ENC_LEVEL *el = ossl_qrl_enc_level_set_get(els, enc_level, 0); - if (!ossl_qrl_enc_level_set_has_keyslot(els, enc_level, el->state, keyslot)) - return; - if (el->cctx[keyslot] != NULL) { EVP_CIPHER_CTX_free(el->cctx[keyslot]); el->cctx[keyslot] = NULL;