Commit 00df8afc01 for openssl.org
commit 00df8afc0132ee603004a967a78f5968eb235697
Author: Sunwoo Lee <sunwoolee@kentech.ac.kr>
Date: Sat Mar 28 08:22:02 2026 +0900
quic: fix channel leak when ossl_quic_provide_initial_secret fails
In port_bind_channel(), when ossl_quic_provide_initial_secret()
fails, the function returns without freeing the QUIC_CHANNEL
that was just created by port_make_channel(). The caller sees
new_ch == NULL and cannot free it, leaking the channel and all
its sub-allocations (QRX, QTX, TXP, ACKM).
Add ossl_quic_channel_free(ch) before the early return, matching
the cleanup pattern already used by the other error paths in the
same function (lines 864, 873).
CWE-401
Reported-by: Sunwoo Lee <sunwoolee@kentech.ac.kr>
CLA: trivial
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Saša NedvÄ›dický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
MergeDate: Wed Apr 15 10:44:51 2026
(Merged from https://github.com/openssl/openssl/pull/30612)
diff --git a/ssl/quic/quic_port.c b/ssl/quic/quic_port.c
index 5b891581dc..644b4e0fe5 100644
--- a/ssl/quic/quic_port.c
+++ b/ssl/quic/quic_port.c
@@ -850,8 +850,10 @@ static void port_bind_channel(QUIC_PORT *port, const BIO_ADDR *peer,
if (!ossl_quic_provide_initial_secret(ch->port->engine->libctx,
ch->port->engine->propq,
dcid, /* is_server */ 1,
- ch->qrx, NULL))
+ ch->qrx, NULL)) {
+ ossl_quic_channel_free(ch);
return;
+ }
if (odcid->id_len != 0) {
/*