From a11ab7ad4ea0d97ac0d5af1e28b30b00c37c3c3c Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Thu, 27 Nov 2025 12:11:39 +0100
Subject: [PATCH 2/2] ngtcp2+openssl: fix leak of session

Fix return value indicating to OpenSSL if reference to session is kept
(it is not), so OpenSSL frees it.

Reported-by: Aleksei Bavshin
Fixes #19717
Closes #19718

(cherry picked from commit 9bb5c0578b39e5b086b6a9db5c6eb299a0fe1c5c)
---
 lib/vquic/curl_ngtcp2.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/vquic/curl_ngtcp2.c b/lib/vquic/curl_ngtcp2.c
index f72f6630f..069dcb67e 100644
--- a/lib/vquic/curl_ngtcp2.c
+++ b/lib/vquic/curl_ngtcp2.c
@@ -2262,7 +2262,6 @@ static int quic_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
 #endif
     Curl_ossl_add_session(cf, data, ctx->peer.scache_key, ssl_sessionid,
                           SSL_version(ssl), "h3", quic_tp, quic_tp_len);
-    return 1;
   }
   return 0;
 }
-- 
2.52.0