[nginx] SSL: added missing "goto failed" in ECH handling with Bo...
Maxim Dounin
mdounin at mdounin.ru
Fri Mar 6 04:29:52 UTC 2026
details: http://freenginx.org/hg/nginx/rev/87c2bbf0e078
branches:
changeset: 9473:87c2bbf0e078
user: Maxim Dounin <mdounin at mdounin.ru>
date: Fri Mar 06 07:29:10 2026 +0300
description:
SSL: added missing "goto failed" in ECH handling with BoringSSL.
The "goto failed" statement was missed in the EVP_HPKE_KEY_new() error
handling, as used during configuration of Encrypted Client Hello (ECH)
with BoringSSL, resulting in segmentation fault in EVP_HPKE_KEY_init()
if memory allocation in EVP_HPKE_KEY_new() failed. Missed in
9422:deb1ec630f7c (1.29.2).
Reported by Yu Zhu,
https://github.com/freenginx/nginx/issues/16
diffstat:
src/event/ngx_event_openssl.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diffs (11 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2023,6 +2023,7 @@ failed:
if (hpkey == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"EVP_HPKE_KEY_new() failed");
+ goto failed;
}
if (EVP_HPKE_KEY_init(hpkey, EVP_hpke_x25519_hkdf_sha256(),
More information about the nginx-devel
mailing list