Commit 854ea3aa93 for openssl.org

commit 854ea3aa93a29e672d0a8f46e415002f3a75fe4b
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date:   Wed Mar 18 10:13:26 2026 +0100

    quic_channel.c: avoid clipping in ack_delay_exponent/disable_active_migration setters

    Avoid clipping of the provided values in setters due to type casting
    by checking the values agains the type-specific maximum beforehand.

    Fixes: 35dc6c353bfe "QUIC: Make more transport parameters configurable"
    Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Wed Apr  8 10:05:27 2026
    (Merged from https://github.com/openssl/openssl/pull/30485)

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index a980f87d00..ab33e66efd 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -4239,6 +4239,14 @@ int ossl_quic_channel_set_ack_delay_exponent_request(QUIC_CHANNEL *ch, uint64_t
     if (ossl_quic_channel_have_generated_transport_params(ch))
         return 0;

+    /*
+     * ossl_quic_tx_packetiser_args_st::ack_delay_exponent is uint32_t,
+     * but quic_channel_st::tx_ack_delay_exp is unsigned char, checking
+     * against the smaller type.
+     */
+    if (exp > UCHAR_MAX)
+        return 0;
+
     if (!ossl_quic_tx_packetiser_set_ack_delay_exponent(ch->txp, (uint32_t)exp))
         return 0;

@@ -4282,6 +4290,9 @@ int ossl_quic_channel_set_disable_active_migration_request(QUIC_CHANNEL *ch, uin
     if (ossl_quic_channel_have_generated_transport_params(ch))
         return 0;

+    if (disable > UCHAR_MAX)
+        return 0;
+
     ch->tx_disable_active_migration = (unsigned char)disable;
     return 1;
 }