details: http://freenginx.org/hg/nginx/rev/87c2bbf0e078 branches: changeset: 9473:87c2bbf0e078 user: Maxim Dounin <[email protected]> date: Fri Mar 06 07:29:10 2026 +0300 description: SSL: added missing "goto failed" in ECH handling with BoringSSL.
The "goto failed" statement was missed in the EVP_HPKE_KEY_new() error handling, as used during configuration of Encrypted Client Hello (ECH) with BoringSSL, resulting in segmentation fault in EVP_HPKE_KEY_init() if memory allocation in EVP_HPKE_KEY_new() failed. Missed in 9422:deb1ec630f7c (1.29.2). Reported by Yu Zhu, https://github.com/freenginx/nginx/issues/16 diffstat: src/event/ngx_event_openssl.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -2023,6 +2023,7 @@ failed: if (hpkey == NULL) { ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "EVP_HPKE_KEY_new() failed"); + goto failed; } if (EVP_HPKE_KEY_init(hpkey, EVP_hpke_x25519_hkdf_sha256(),
