Commit 78ced6c88a for openssl.org

commit 78ced6c88ae3114a408428c54cac9ee9b883cc42
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Wed Mar 18 10:03:08 2026 +0100

    quic_channel.c: avoid integer overflow in ossl_quic_channel_set_max_data_request

    Check that DEFAULT_CONN_RXFC_MAX_WND_MUL * max_data multiplication
    will not overflow uint64_t data type before performing it.

    Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Wed Apr  8 10:05:26 2026
    (Merged from https://github.com/openssl/openssl/pull/30485)

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index e14d7cd8c9..a980f87d00 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -4145,6 +4145,9 @@ int ossl_quic_channel_set_max_data_request(QUIC_CHANNEL *ch, uint64_t max_data)
     if (ossl_quic_channel_have_generated_transport_params(ch))
         return 0;

+    if (max_data > UINT64_MAX / DEFAULT_CONN_RXFC_MAX_WND_MUL)
+        return 0;
+
     if (!ossl_quic_rxfc_init(&ch->conn_rxfc, NULL,
             max_data, DEFAULT_CONN_RXFC_MAX_WND_MUL * max_data,
             get_time, ch))