From 088b5c2df31833d4b10c8ca6aa5bbb90c9cf80fe Mon Sep 17 00:00:00 2001
From: Ilya Shipitsin <chipitsine@gmail.com>
Date: Wed, 16 Aug 2023 19:17:18 +0200
Subject: [PATCH] additional error handling if SSL_CTX_new failed

this is a folloup to https://github.com/SoftEtherVPN/SoftEtherVPN/pull/1873
---
 src/Cedar/Proto_OpenVPN.c | 4 ++++
 src/Cedar/Proto_PPP.c     | 5 +++++
 src/Cedar/Radius.c        | 5 +++++
 src/Mayaqua/Network.c     | 8 ++++++++
 4 files changed, 22 insertions(+)

diff --git a/src/Cedar/Proto_OpenVPN.c b/src/Cedar/Proto_OpenVPN.c
index 3b4e38c8..9143d46f 100644
--- a/src/Cedar/Proto_OpenVPN.c
+++ b/src/Cedar/Proto_OpenVPN.c
@@ -824,6 +824,10 @@ void OvsProcessRecvControlPacket(OPENVPN_SERVER *s, OPENVPN_SESSION *se, OPENVPN
 				}
 
 				c->SslPipe = NewSslPipeEx(true, s->Cedar->ServerX, s->Cedar->ServerK, s->Dh, true, &c->ClientCert);
+				if (c->SslPipe == NULL)
+				{
+					return;
+				}
 			}
 			Unlock(s->Cedar->lock);
 
diff --git a/src/Cedar/Proto_PPP.c b/src/Cedar/Proto_PPP.c
index 2c586e30..498c0bf1 100644
--- a/src/Cedar/Proto_PPP.c
+++ b/src/Cedar/Proto_PPP.c
@@ -3635,6 +3635,11 @@ bool PPPProcessEAPTlsResponse(PPP_SESSION *p, PPP_EAP *eap_packet, UINT eapSize)
 		{
 			p->Eap_TlsCtx.Dh = DhNewFromBits(DH_PARAM_BITS_DEFAULT);
 			p->Eap_TlsCtx.SslPipe = NewSslPipeEx3(true, p->Cedar->ServerX, p->Cedar->ServerK, p->Cedar->ServerChain, p->Eap_TlsCtx.Dh, true, &(p->Eap_TlsCtx.ClientCert), p->Eap_TlsCtx.Tls13SessionTicketsCount, p->Eap_TlsCtx.DisableTls13);
+			if (p->Eap_TlsCtx.SslPipe == NULL)
+			{
+				Debug("EAP-TLS: NewSslPipeEx3 failed\n");
+				return false;
+			}
 		}
 
 		// If the current frame is fragmented, or it is a possible last of a fragmented series, bufferize it
diff --git a/src/Cedar/Radius.c b/src/Cedar/Radius.c
index 14c0821c..c17c5b42 100644
--- a/src/Cedar/Radius.c
+++ b/src/Cedar/Radius.c
@@ -417,6 +417,11 @@ bool StartPeapSslClient(EAP_CLIENT *e)
 	}
 
 	e->SslPipe = NewSslPipe(false, NULL, NULL, NULL);
+	if (e->SslPipe == NULL)
+	{
+		return false;
+	}
+
 	send_fifo = e->SslPipe->RawOut->RecvFifo;
 	recv_fifo = e->SslPipe->RawIn->SendFifo;
 
diff --git a/src/Mayaqua/Network.c b/src/Mayaqua/Network.c
index d478bfd9..de0b053e 100644
--- a/src/Mayaqua/Network.c
+++ b/src/Mayaqua/Network.c
@@ -5724,6 +5724,10 @@ SSL_PIPE *NewSslPipeEx3(bool server_mode, X *x, K *k, LIST *chain, DH_CTX *dh, b
 	SSL_PIPE *s;
 	SSL *ssl;
 	SSL_CTX *ssl_ctx = NewSSLCtx(server_mode);
+	if (ssl_ctx == NULL)
+	{
+		return NULL;
+	}
 
 	Lock(openssl_lock);
 	{
@@ -11727,6 +11731,10 @@ bool StartSSLEx3(SOCK *sock, X *x, K *priv, LIST *chain, UINT ssl_timeout, char
 	}
 
 	ssl_ctx = NewSSLCtx(sock->ServerMode);
+	if (ssl_ctx == NULL)
+	{
+		return false;
+	}
 
 	Lock(openssl_lock);
 	{