copy_email() may leak memory when asked to move data

instead of copy

Resolves: https://scan5.scan.coverity.com/#/project-view/62622/10222?selectedIssue=1681722

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Mon Mar  2 12:51:48 2026
(Merged from https://github.com/openssl/openssl/pull/30192)

diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 247fe0a1aeb558c434f97b6c9d6e758ea36b7484..3dcd0b026ef32e1512a8005b562fc682959ea0f9 100644 (file)
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -439,9 +439,6 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
     while ((i = X509_NAME_get_index_by_NID(nm,
                 NID_pkcs9_emailAddress, i))
         >= 0) {
-        /* XXX Casts away const */
-        ne = (X509_NAME_ENTRY *)X509_NAME_get_entry(nm, i);
-        email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
         if (move_p) {
             /* We should really not support deleting things in a const object
              * to rip the pointer out of it. If we truly want a new object
@@ -449,6 +446,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
              */
             return 0;
         }
+        /* XXX Casts away const */
+        ne = (X509_NAME_ENTRY *)X509_NAME_get_entry(nm, i);
+        email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
         if (email == NULL || (gen = GENERAL_NAME_new()) == NULL) {
             ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
             goto err;