From 66fde99b1d9113128778125c2f942f1d0f016be5 Mon Sep 17 00:00:00 2001 From: Jan Svojanovsky Date: Tue, 9 Dec 2025 12:27:02 +0100 Subject: [PATCH] QUIC: fixed possible segfault on handshake failures. When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be called late, after the QUIC connection was already closed on handshake failure, resulting in a segmentation fault. For instance, it happened if a client Finished message didn't align with a record boundary. --- src/event/quic/ngx_event_quic_ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c index a502431f4..18992ae1b 100644 --- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -185,7 +185,13 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg) ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read); + /* already closed on handshake failure */ + qc = ngx_quic_get_connection(c); + if (qc == NULL) { + return 1; + } + ctx = ngx_quic_get_send_ctx(qc, qc->read_level); cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);