From 31ea1efe2093444f79bcce82460e33deb5a08ec2 Mon Sep 17 00:00:00 2001
From: Nikola Pajkovsky <nikolap@openssl.org>
Date: Mon, 22 Sep 2025 12:17:16 +0200
Subject: [PATCH] x509: fix mem leak on error path

The x509_store_add() creates X509_OBJECT wrapping either X509 or
X509_CRL. However, if you set the type to X509_LU_NONE before
X509_OBJECT_free then it skips the free on the wrapped type and just
calls OPENSSL_free on the object itself. Hence, leaking wrapped
object.

Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28631)

(cherry picked from commit 8a4ef31f3ab9c8e512d29600ccc833cf03533b9e)
---
 crypto/x509/x509_lu.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 05ee7c8c6b5..eb2d47955b2 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -408,7 +408,6 @@ static int x509_store_add(X509_STORE *store, void *x, int crl)
     }
 
     if (!X509_STORE_lock(store)) {
-        obj->type = X509_LU_NONE;
         X509_OBJECT_free(obj);
         return 0;
     }
-- 
2.47.3