From 000c4a4fbc5988aaa4fe9af044ca3d737bf9f3ce Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Sat, 6 Jun 2026 15:28:14 +0000
Subject: [PATCH] Correctly handle failure to buffer DTLS messages.

If we fail to buffer an outgoing DTLS message, we're not going to be able
to retransmit it. Correctly propagate the failure.

ok kenjiro@ tb@
---
 lib/libssl/d1_both.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/libssl/d1_both.c b/lib/libssl/d1_both.c
index 1e87d9e6526..d3742cbd121 100644
--- a/lib/libssl/d1_both.c
+++ b/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_both.c,v 1.96 2026/06/06 15:24:26 jsing Exp $ */
+/* $OpenBSD: d1_both.c,v 1.97 2026/06/06 15:28:14 jsing Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -1171,7 +1171,8 @@ dtls12_ccs_built(SSL *s)
 	dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
 	    s->d1->handshake_write_seq, 0, 0);
 
-	dtls1_buffer_message(s, 1);
+	if (!dtls1_buffer_message(s, 1))
+		return 0;
 
 	return 1;
 }
@@ -1196,7 +1197,8 @@ dtls12_handshake_msg_built(SSL *s)
 
 	dtls1_set_message_header(s, msg_type, len, 0, len);
 
-	dtls1_buffer_message(s, 0);
+	if (!dtls1_buffer_message(s, 0))
+		return 0;
 
 	return 1;
 }