Fix memory leak in ossl_rsa_fromdata.

Occurs if a malloc failure happens inside collect_numbers()

Reported via #18365

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18646)

diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c
index b69c94fc1127bbbabd04b7e4a40fcc5d1b68dfc7..bc658d9d30dbbdba3f235fd7981438d529d714c6 100644 (file)
--- a/crypto/rsa/rsa_backend.c
+++ b/crypto/rsa/rsa_backend.c
@@ -49,9 +49,12 @@ static int collect_numbers(STACK_OF(BIGNUM) *numbers,
         if (p != NULL) {
             BIGNUM *tmp = NULL;
 
-            if (!OSSL_PARAM_get_BN(p, &tmp)
-                || sk_BIGNUM_push(numbers, tmp) == 0)
+            if (!OSSL_PARAM_get_BN(p, &tmp))
                 return 0;
+            if (sk_BIGNUM_push(numbers, tmp) == 0) {
+                BN_clear_free(tmp);
+                return 0;
+            }
         }
     }