Commit 4d9e2a5797 for openssl.org
commit 4d9e2a5797ec74a20426a6185df01d10a770ccc5
Author: Loganaden Velvindron <logan@cyberstorm.mu>
Date: Wed Jun 10 17:18:19 2026 +0400
ssl/quic/quic_ackm.c: fix use after free for apkt in ackm_on_pkts_acked()
Store in_flight flag in a local variable for later use, as apkt->on_acked()
may free apkt.
Fixes: 427a02ad0a71 "QUIC ACKM: Don't record non-inflight packets in CC"
Signed-off-by: Loganaden Velvindron <logan@cyberstorm.mu>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Sun Jun 21 13:55:08 2026
(Merged from https://github.com/openssl/openssl/pull/31447)
diff --git a/ssl/quic/quic_ackm.c b/ssl/quic/quic_ackm.c
index 3d419c478b..d1ac3b88e9 100644
--- a/ssl/quic/quic_ackm.c
+++ b/ssl/quic/quic_ackm.c
@@ -1003,6 +1003,7 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
const OSSL_ACKM_TX_PKT *anext;
QUIC_PN last_pn_acked = 0;
OSSL_CC_ACK_INFO ainfo = { 0 };
+ unsigned int is_inflight;
for (; apkt != NULL; apkt = anext) {
if (apkt->is_inflight) {
@@ -1027,10 +1028,11 @@ static void ackm_on_pkts_acked(OSSL_ACKM *ackm, const OSSL_ACKM_TX_PKT *apkt)
ainfo.tx_time = apkt->time;
ainfo.tx_size = apkt->num_bytes;
+ is_inflight = apkt->is_inflight;
anext = apkt->anext;
apkt->on_acked(apkt->cb_arg); /* may free apkt */
- if (apkt->is_inflight)
+ if (is_inflight)
ackm->cc_method->on_data_acked(ackm->cc_data, &ainfo);
}
}