mirror of
https://github.com/openssl/openssl.git
synced 2026-05-07 20:12:39 +00:00
Alexandr Nedvedicky
211b564f86
QUIC stack may panic when application calls SSL_get_stream_write_state()
on cocluded QUIC stream onject. The sequence of action which leads
to NULL pointer dereference is as follows:
- application uses SSL_stream_conclude(ssl_stream, 0) to conclude
the stream (let remote peer know no to expect more data)
- application uses SSL_get_stream_write_state(ssl_stream)
to query stream state.
If underlying sstream object is gone by the time when
SSL_get_stream_wtite_state() is called, then application
may see NULL pointer dereference. The underlying sstream
object is freed when FIN sent on beahalf of SSL_stream_conclude()
is ACKed by remote peer.
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Tue Apr 28 12:35:41 2026
(Merged from https://github.com/openssl/openssl/pull/30913)