OpenSSL: Fix memory leak in OCSP parsing

The result from OCSP_cert_to_id() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 7ef6214480e15b29098d9e348be9ae153be81dc6..7a2db492bd3655d29d54aac91ba141a16f4693e1 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3852,10 +3852,12 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
                           (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
                           " (OCSP not required)");
+               OCSP_CERTID_free(id);
                OCSP_BASICRESP_free(basic);
                OCSP_RESPONSE_free(rsp);
                return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
        }
+       OCSP_CERTID_free(id);
 
        if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
                tls_show_errors(MSG_INFO, __func__,

diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c
index 9be0111fb369bed200a16b6552c318f4fb6fc4dd..d59439896ce8237b402145512e190c4ddd370098 100644 (file)
--- a/src/utils/http_curl.c
+++ b/src/utils/http_curl.c
@@ -1216,6 +1216,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
                           (ctx->ocsp == MANDATORY_OCSP) ? "" :
                           " (OCSP not required)");
+               OCSP_CERTID_free(id);
                OCSP_BASICRESP_free(basic);
                OCSP_RESPONSE_free(rsp);
                if (ctx->ocsp == MANDATORY_OCSP)
@@ -1223,6 +1224,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                        ctx->last_err = "Could not find current server certificate from OCSP response";
                return (ctx->ocsp == MANDATORY_OCSP) ? 0 : 1;
        }
+       OCSP_CERTID_free(id);
 
        if (!OCSP_check_validity(this_update, next_update, 5 * 60, -1)) {
                tls_show_errors(__func__, "OpenSSL: OCSP status times invalid");