crypto/x509/t_req.c: avoid exts leaking on error paths

If an error occurred and jump to the "err" label is performed after
exts has been allocated, it can leak.  Avoid that by adding
sk_X509_EXTENSION_pop_free() on the error path and setting exts to NULL
after sk_X509_EXTENSION_pop_free() in the normal handling.

Fixes: ae880ae6719e "Fix error handling in X509_REQ_print_ex"
Fixes: 87c49f622e7f "Support for parsing of certificate extensions in PKCS#10 requests: these are"
Resolves: https://scan5.scan.coverity.com/#/project-view/65248/10222?selectedIssue=1665161
References: https://github.com/openssl/project/issues/1362
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28408)

(cherry picked from commit 3b83a7183c71395cdc70eacddce21f4d2d9d2b88)

diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index 63626c0d981096d51bac710a4eb5354f267c5861..1c5f41d676555037f0ec0ea5707dd7d208facdb6 100644 (file)
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -40,7 +40,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
     long l;
     int i;
     EVP_PKEY *pkey;
-    STACK_OF(X509_EXTENSION) *exts;
+    STACK_OF(X509_EXTENSION) *exts = NULL;
     char mlch = ' ';
     int nmindent = 0, printok = 0;
 
@@ -191,6 +191,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
                     goto err;
             }
             sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+            exts = NULL;
         }
     }
 
@@ -204,6 +205,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
 
     return 1;
  err:
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
     ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB);
     return 0;
 }