QUIC: fixed possible segfault on handshake failures.

When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be called late, after the QUIC connection was already closed on handshake failure, resulting in a segmentation fault. For instance, it happened if a client Finished message didn't align with a record boundary.
author: Jan Svojanovsky <jan.svojanovsky@cdn77.com> 2025-12-09 12:27:02 +0100
committer: Sergey Kandaurov <s.kandaurov@f5.com> 2025-12-09 21:25:10 +0400
commit: 66fde99b1d9113128778125c2f942f1d0f016be5 (patch)
tree: 20b1b87a680d0fb1a148b2719045485026aa8986 /src/event
parent: 61690b5dc04ac31e4b402695cfc71c504be489dd (diff)
download: nginx-66fde99b1d9113128778125c2f942f1d0f016be5.tar.gz
nginx-66fde99b1d9113128778125c2f942f1d0f016be5.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/src/event/quic/ngx_event_quic_ssl.c b/src/event/quic/ngx_event_quic_ssl.c
index a502431f4..18992ae1b 100644
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@@ -185,7 +185,13 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);
 
+    /* already closed on handshake failure */
+
     qc = ngx_quic_get_connection(c);
+    if (qc == NULL) {
+        return 1;
+    }
+
     ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
 
     cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);
author	Jan Svojanovsky <jan.svojanovsky@cdn77.com>	2025-12-09 12:27:02 +0100
committer	Sergey Kandaurov <s.kandaurov@f5.com>	2025-12-09 21:25:10 +0400
commit	66fde99b1d9113128778125c2f942f1d0f016be5 (patch)
tree	20b1b87a680d0fb1a148b2719045485026aa8986 /src/event
parent	61690b5dc04ac31e4b402695cfc71c504be489dd (diff)
download	nginx-66fde99b1d9113128778125c2f942f1d0f016be5.tar.gz nginx-66fde99b1d9113128778125c2f942f1d0f016be5.tar.bz2