crypto/x509/v3_ncons.c: fix scheme buffer leak in nc_uri() for schemeless URIs

OSSL_parse_url() allocates a 1-byte empty-string buffer for the scheme
even when the URI has no scheme.  The empty-scheme error branch freed
uri_copy and jumped to end: which only frees host, leaving scheme
unfreed.  Add OPENSSL_free(scheme) before the goto.

Assisted-by: Claude:claude-sonnet-4-6
CLA: trivial
Fixes: e599893a9fec "x509: allow SAN URIs to contain userinfo"
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Fri Jun 26 15:26:09 2026
(Merged from https://github.com/openssl/openssl/pull/31678)

diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
index 1a9cf61122478107fc7d016e770dd6d9c601c589..8217bedc7bde4e42582092abc09ae1b32a1c59e9 100644 (file)
--- a/crypto/x509/v3_ncons.c
+++ b/crypto/x509/v3_ncons.c
@@ -791,6 +791,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
     if (scheme == NULL || *scheme == '\0') {
         ERR_raise_data(ERR_LIB_X509V3, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX,
             "x509: missing scheme in URI: %s\n", uri_copy);
+        OPENSSL_free(scheme);
         OPENSSL_free(uri_copy);
         ret = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
         goto end;