From 96f424c439b20248940c27b5c9b0e4ee6bad1299 Mon Sep 17 00:00:00 2001 From: Weidong Wang Date: Tue, 17 Mar 2026 12:23:58 -0500 Subject: [PATCH] Fix SSL_SESSION leak in tls_parse_ctos_psk() on ticket error paths Two early 'return 0' statements bypass the err: label cleanup that calls SSL_SESSION_free(sess). When tls_decrypt_ticket() allocates an SSL_SESSION but the decrypt_ticket_cb returns ABORT, the session is leaked. Replace 'return 0' with 'goto err' so the existing cleanup handles it. --- ssl/statem/extensions_srvr.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 6c84518fae1..552c44388e1 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1442,13 +1442,13 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, if (ret == SSL_TICKET_EMPTY) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); - return 0; + goto err; } if (ret == SSL_TICKET_FATAL_ERR_MALLOC || ret == SSL_TICKET_FATAL_ERR_OTHER) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - return 0; + goto err; } if (ret == SSL_TICKET_NONE || ret == SSL_TICKET_NO_DECRYPT) continue; -- 2.47.3