From: Niels Dossche <niels.dossche@ugent.be>
Date: Wed, 22 Jan 2025 13:35:25 +0000 (+0100)
Subject: Fix potential leak in error path in cert_response()
X-Git-Tag: openssl-3.4.2~172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bd7eb2099db17f591ab33e7629c92be0d55338e;p=thirdparty%2Fopenssl.git

Fix potential leak in error path in cert_response()

get1_cert_status() returns an object that must be freed,
but the error path does not do that.
Fix it by adding a call to X509_free() in the error path.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26513)

(cherry picked from commit 56160f173d055486357b7a315ab4e9579b2538d5)
---

diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index e8fe6f30dcb..dc87b3e7126 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -736,8 +736,10 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
         ERR_add_error_data(1, "; cannot extract certificate from response");
         return 0;
     }
-    if (!ossl_cmp_ctx_set0_newCert(ctx, cert))
+    if (!ossl_cmp_ctx_set0_newCert(ctx, cert)) {
+        X509_free(cert);
         return 0;
+    }
 
     /*
      * if the CMP server returned certificates in the caPubs field, copy them