Commit d62febf758 for openssl.org
commit d62febf758fafdfa90a599df2028cbe1b5d52f2a
Author: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sun Oct 12 21:28:08 2025 +0800
quic: free popped incoming channel on early exit in accept_connection
If we pop a channel but fail to extract or adopt its SSL pointer,
we return without releasing the channel. Add a small cleanup at
the function epilogue to free new_ch when conn_ssl is NULL.
Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Mon Jan 12 18:54:05 2026
(Merged from https://github.com/openssl/openssl/pull/28920)
diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 87c1370a8d..46a34a1063 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4800,6 +4800,11 @@ SSL *ossl_quic_accept_connection(SSL *ssl, uint64_t flags)
}
out:
+ if (conn_ssl == NULL && new_ch != NULL) {
+ ossl_quic_channel_free(new_ch);
+ new_ch = NULL;
+ }
+
qctx_unlock(&ctx);
return conn_ssl;
}