crypto/x509/t_req.c: avoid exts leaking on error paths

If an error occurred and jump to the "err" label is performed after
exts has been allocated, it can leak.  Avoid that by adding
sk_X509_EXTENSION_pop_free() on the error path and setting exts to NULL
after sk_X509_EXTENSION_pop_free() in the normal handling.

Fixes: ae880ae6719e "Fix error handling in X509_REQ_print_ex"
Fixes: 87c49f622e7f "Support for parsing of certificate extensions in PKCS#10 requests: these are"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665161
References: https://github.com/openssl/project/issues/1362
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28408)

diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index fe62a087063055860b9d63b58f82b78f26c6fe89..eb730216adab525518b1307f0ce869e00493b979 100644 (file)
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -40,7 +40,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
     long l;
     int i;
     EVP_PKEY *pkey;
-    STACK_OF(X509_EXTENSION) *exts;
+    STACK_OF(X509_EXTENSION) *exts = NULL;
     char mlch = ' ';
     int nmindent = 0, printok = 0;
 
@@ -191,6 +191,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
                     goto err;
             }
             sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+            exts = NULL;
         }
     }
 
@@ -204,6 +205,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
 
     return 1;
  err:
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
     ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
     return 0;
 }