Commit 1d2d303770 for openssl.org

commit 1d2d30377017457926616c160258d32b5e963f6c
Author: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
Date:   Wed Apr 1 22:58:30 2026 -0700

    quic: fix NULL deref in ossl_quic_new_from_listener()

    ossl_quic_port_create_outgoing() can return NULL under memory pressure.
    The result was used immediately by ossl_quic_channel_set_msg_callback()
    without a NULL check, causing a crash on the SSL_new_from_listener()
    API path.

    The correct pattern already exists in create_channel() (same file): check
    the return value and raise a non-normal error before jumping to cleanup.
    Apply the same pattern here.

    Fixes: 0b15147a37c ("Implement SSL_new_from_listener()")
    Signed-off-by: Abhinav Agarwal <abhinavagarwal1996@gmail.com>

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Fri Apr  3 15:46:54 2026
    (Merged from https://github.com/openssl/openssl/pull/30667)

diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
index 8fb6091171..9dfd28c930 100644
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@@ -4969,6 +4969,10 @@ SSL *ossl_quic_new_from_listener(SSL *ssl, uint64_t flags)
      * to grab reference for qc.
      */
     qc->ch = ossl_quic_port_create_outgoing(qc->port, qc->tls);
+    if (qc->ch == NULL) {
+        QUIC_RAISE_NON_NORMAL_ERROR(NULL, ERR_R_INTERNAL_ERROR, NULL);
+        goto err;
+    }

     ossl_quic_channel_set_msg_callback(qc->ch, ql->obj.ssl.ctx->msg_callback, &qc->obj.ssl);
     ossl_quic_channel_set_msg_callback_arg(qc->ch, ql->obj.ssl.ctx->msg_callback_arg);