Commit b2aa6a1c67 for openssl.org

commit b2aa6a1c67a80667a0375aa112242f218e7448d6
Author: Abhinav Agarwal <abhinavagarwal1996@gmail.com>
Date:   Wed Mar 18 09:01:07 2026 -0700

    quic: fix NULL pointer dereference in ossl_uint_set_remove()

    In the range-splitting path, create_set_item() can return NULL under
    memory pressure. The result was passed directly to
    ossl_list_uint_set_insert_after() without a NULL check, causing an
    immediate crash. This path is reachable during normal QUIC ACK
    processing under memory exhaustion.

    Check the allocation result before insertion and return 0 on failure.

    Fixes: c5ca718003e6 "uint_set: convert uint_set to use the list data type"

    Reviewed-by: Saša Nedvědický <sashan@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Thu Mar 19 19:24:09 2026
    (Merged from https://github.com/openssl/openssl/pull/30490)

diff --git a/ssl/quic/uint_set.c b/ssl/quic/uint_set.c
index f81148c79a..81d823e19b 100644
--- a/ssl/quic/uint_set.c
+++ b/ssl/quic/uint_set.c
@@ -303,6 +303,8 @@ int ossl_uint_set_remove(UINT_SET *s, const UINT_RANGE *range)
              * handled by the above cases.
              */
             y = create_set_item(end + 1, z->range.end);
+            if (y == NULL)
+                return 0;
             ossl_list_uint_set_insert_after(s, z, y);
             z->range.end = start - 1;
             break;