Commit 4dcf6d276d for openssl.org

commit 4dcf6d276dea963e5d3b1d5de4349f301c17f1ba
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date:   Fri May 29 18:19:15 2026 +0200

    statem: fix missing fatal if valid_flags mfail in process cert req

    It is a contract of tls process functions to trigger fatal error if they
    fail. This is not being done in checking result of s->s3.tmp.valid_flags
    allocation. If this happens, it triggers alert in read_state_machine()
    for READ_STATE_BODY state that calls this process function. It calls
    check_fatal() if MSG_PROCESS_ERROR is returned and the assert in it
    fails because no error is triggered.

    The fix just adds the fatal and also uses MSG_PROCESS_ERROR macro as
    return value instead of hard coded 0.

    Reviewed-by: Milan Broz <mbroz@openssl.org>
    Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
    MergeDate: Wed Jun  3 11:33:33 2026
    (Merged from https://github.com/openssl/openssl/pull/31338)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 7b955111c8..00ca50a3e6 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2966,8 +2966,10 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s,
         s->s3.tmp.valid_flags = OPENSSL_calloc(s->ssl_pkey_num, sizeof(uint32_t));

     /* Give up for good if allocation didn't work */
-    if (s->s3.tmp.valid_flags == NULL)
-        return 0;
+    if (s->s3.tmp.valid_flags == NULL) {
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
+        return MSG_PROCESS_ERROR;
+    }

     if (SSL_CONNECTION_IS_TLS13(s)) {
         PACKET reqctx, extensions;