Commit 46b5165d44 for openssl.org

commit 46b5165d44562724647d538047aa8568421def45
Author: rootvector2 <dxbnaveed.k@gmail.com>
Date:   Mon Jun 1 13:25:41 2026 +0530

    quic: avoid one-byte over-read of conn close reason in copy_tcause

    For a remote CONNECTION_CLOSE, src->reason points straight into the
    received packet and holds exactly reason_len bytes with no guaranteed
    trailing byte. copy_tcause() did OPENSSL_memdup(src->reason, l + 1),
    reading one byte past the source. The +1 is only needed to make room
    for the NUL written at r[l], so allocate l + 1 but copy only the l
    valid bytes.

    Fixes: 40c8c756c86f "QUIC APL/CHANNEL: Wire up connection closure reason"

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
    MergeDate: Wed Jun  3 11:39:47 2026
    (Merged from https://github.com/openssl/openssl/pull/31349)

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 07258f1a9b..d00b14f04f 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -3211,10 +3211,11 @@ static void copy_tcause(QUIC_TERMINATE_CAUSE *dst,
          * If this fails, dst->reason becomes NULL and we simply do not use a
          * reason. This ensures termination is infallible.
          */
-        dst->reason = r = OPENSSL_memdup(src->reason, l + 1);
+        dst->reason = r = OPENSSL_malloc(l + 1);
         if (r == NULL)
             return;

+        memcpy(r, src->reason, l);
         r[l] = '\0';
         dst->reason_len = l;
     }