Commit ff08a2c6d1 for openssl.org

commit ff08a2c6d10cdd143259619b7f8eed564713458c
Author: Matt Caswell <matt@openssl.foundation>
Date:   Tue May 19 09:47:18 2026 +0100

    There is no need to call custom_ext_copy_old_cb after reallocing dst->meths

    In custom_exts_copy_conn we realloc'd the dst->meths buffer, and then
    called `custom_ext_copy_old_cb` to transfer ownership of the all style
    API wrapper allocations to the newly realloc'd buffer. But this makes
    no sense. The buffer is realloc'd, and the old buffer is no longer freed,
    so ownership of the old style API wrapper allocations transfer as well.
    This is actually a use-after-free (we can no longer access the old buffer
    once its been realloc'd), and also causes a leak. We just delete this
    code.

    Reviewed-by: Bob Beck <beck@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Jun  8 07:51:55 2026
    (Merged from https://github.com/openssl/openssl/pull/31238)

diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c
index 881e42be07..71fb169c31 100644
--- a/ssl/statem/extensions_cust.c
+++ b/ssl/statem/extensions_cust.c
@@ -411,9 +411,6 @@ int custom_exts_copy_conn(custom_ext_methods *dst,
             if (methdst == NULL)
                 return 0;

-            for (i = 0; i < dst->meths_count; i++)
-                custom_ext_copy_old_cb(&methdst[i], &dst->meths[i], &err);
-
             dst->meths = methdst;
             methdst += dst->meths_count;