Commit 80f97a9072 for openssl.org
commit 80f97a9072e96ef7b7f708ac944bce47abbf13ff
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date: Thu May 7 19:13:30 2026 +0200
Fix UAF if QUIC channel init fails
This happens because port does not get reset on the first freeing in
channel block so when it is being freed again in ossl_quic_new, it
tries to access item in port.
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Mon May 18 10:50:23 2026
(Merged from https://github.com/openssl/openssl/pull/31109)
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index f2fa0d542b..0d3c0fb3c5 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -691,6 +691,9 @@ static void quic_unref_port_bios(QUIC_PORT *port)
{
BIO *b;
+ if (port == NULL)
+ return;
+
b = ossl_quic_port_get_net_rbio(port);
BIO_free_all(b);
@@ -1871,6 +1874,7 @@ static int create_channel(QUIC_CONNECTION *qc, SSL_CTX *ctx)
if (qc->port == NULL) {
QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
ossl_quic_engine_free(qc->engine);
+ qc->engine = NULL;
return 0;
}
@@ -1878,7 +1882,9 @@ static int create_channel(QUIC_CONNECTION *qc, SSL_CTX *ctx)
if (qc->ch == NULL) {
QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
ossl_quic_port_free(qc->port);
+ qc->port = NULL;
ossl_quic_engine_free(qc->engine);
+ qc->engine = NULL;
return 0;
}