From: David Carlier <devnexen@gmail.com>
Date: Wed, 18 Feb 2026 21:55:00 +0000 (+0000)
Subject: BUG/MINOR: acme: fix X509_NAME leak when X509_set_issuer_name() fails
X-Git-Tag: v3.4-dev5~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=194a67600e6581c94e72565d4aa00b7e7e3b5131;p=thirdparty%2Fhaproxy.git

BUG/MINOR: acme: fix X509_NAME leak when X509_set_issuer_name() fails

In acme_gen_tmp_x509(), if X509_set_issuer_name() fails, the code
jumped to the mkcert_error label without freeing the previously
allocated X509_NAME object. The other error paths after X509_NAME_new()
(X509_NAME_add_entry_by_txt and X509_set_subject_name) already properly
freed the name before jumping to mkcert_error, but this one was missed.

Fix this by freeing name before the goto, consistent with the other
error paths in the same function.

Must be backported as far as 3.3.
---

diff --git a/src/acme.c b/src/acme.c
index b8ad8df67..f14759747 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2681,8 +2681,10 @@ X509 *acme_gen_tmp_x509()
 		goto mkcert_error;
 	}
 	/* Set issuer name as itself */
-	if (X509_set_issuer_name(newcrt, name) != 1)
+	if (X509_set_issuer_name(newcrt, name) != 1) {
+		X509_NAME_free(name);
 		goto mkcert_error;
+	}
 	X509_NAME_free(name);
 
 	/* Autosign the certificate with the private key */