From 3986410e12e2b1abc81965dd96598d4c2dd02b00 Mon Sep 17 00:00:00 2001 From: "user.email" <123011167+lukefr09@users.noreply.github.com> Date: Mon, 23 Feb 2026 19:33:57 -0600 Subject: [PATCH] QUIC: improved error handling in OpenSSL compat layer. Previously ngx_quic_compat_create_record() could try to encrypt a TLS record even if encryption context was missing, which resulted in a NULL pointer dereference. The context is created by ngx_quic_compat_set_encryption_secret() called from the OpenSSL keylog callback. If an error occurred in that function, the context could remain missing. This could happen under memory pressure, if an allocation failed inside this function. The fix is to handle errors from ngx_quic_compat_set_encryption_secret() and set qc->error to trigger an error after SSL_do_handshake() return. Also, a check for context is added to ngx_quic_compat_create_record() to avoid other similar issues. --- src/event/quic/ngx_event_quic_openssl_compat.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/event/quic/ngx_event_quic_openssl_compat.c b/src/event/quic/ngx_event_quic_openssl_compat.c index 6052bc683..331f592a8 100644 --- a/src/event/quic/ngx_event_quic_openssl_compat.c +++ b/src/event/quic/ngx_event_quic_openssl_compat.c @@ -215,8 +215,12 @@ ngx_quic_compat_keylog_callback(const SSL *ssl, const char *line) com->method->set_read_secret((SSL *) ssl, level, cipher, secret, n); com->read_record = 0; - (void) ngx_quic_compat_set_encryption_secret(c, &com->keys, level, - cipher, secret, n); + if (ngx_quic_compat_set_encryption_secret(c, &com->keys, level, + cipher, secret, n) + != NGX_OK) + { + qc->error = NGX_QUIC_ERR_INTERNAL_ERROR; + } } ngx_explicit_memzero(secret, n); @@ -599,6 +603,10 @@ ngx_quic_compat_create_record(ngx_quic_compat_record_t *rec, ngx_str_t *res) secret = &rec->keys->secret; + if (secret->ctx == NULL) { + return NGX_ERROR; + } + ngx_memcpy(nonce, secret->iv.data, secret->iv.len); ngx_quic_compute_nonce(nonce, sizeof(nonce), rec->number); -- 2.47.3