quic: avoid one-byte over-read of conn close reason in copy_tcause

For a remote CONNECTION_CLOSE, src->reason points straight into the
received packet and holds exactly reason_len bytes with no guaranteed
trailing byte. copy_tcause() did OPENSSL_memdup(src->reason, l + 1),
reading one byte past the source. The +1 is only needed to make room
for the NUL written at r[l], so allocate l + 1 but copy only the l
valid bytes.

Fixes: 40c8c756c86f "QUIC APL/CHANNEL: Wire up connection closure reason"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
MergeDate: Wed Jun  3 11:39:47 2026
(Merged from https://github.com/openssl/openssl/pull/31349)

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 07258f1a9b30d67aee9b4dbaba5b4d668b69baaa..d00b14f04f707a461cf0259214cdcf625fc2674f 100644 (file)
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -3211,10 +3211,11 @@ static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
          * If this fails, dst->reason becomes NULL and we simply do not use a
          * reason. This ensures termination is infallible.
          */
-        dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
+        dst->reason = r = OPENSSL_malloc(l + 1);
         if (r == NULL)
             return;
 
+        memcpy(r, src->reason, l);
         r[l] = '\0';
         dst->reason_len = l;
     }