[PATCH] SSL: added missing "goto failed" in ECH handling with BoringSSL
Maxim Dounin
mdounin at mdounin.ru
Thu Feb 26 03:18:44 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1772075900 -10800
# Thu Feb 26 06:18:20 2026 +0300
# Node ID e9ff0a43ca4d265a883b3df523c2a8db03c6e99e
# Parent c5a5aa2658d7bd6c0ec17600dc6be11b93e8c1f5
SSL: added missing "goto failed" in ECH handling with BoringSSL.
The "goto failed" statement was missed in the EVP_HPKE_KEY_new() error
handling, as used during configuration of Encrypted Client Hello (ECH)
with BoringSSL, resulting in segmentation fault in EVP_HPKE_KEY_init()
if memory allocation in EVP_HPKE_KEY_new() failed. Missed in
9422:deb1ec630f7c (1.29.2).
Reported by Yu Zhu,
https://github.com/freenginx/nginx/issues/16
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2023,6 +2023,7 @@ failed:
if (hpkey == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"EVP_HPKE_KEY_new() failed");
+ goto failed;
}
if (EVP_HPKE_KEY_init(hpkey, EVP_hpke_x25519_hkdf_sha256(),
More information about the nginx-devel
mailing list