From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 12 Jul 2024 18:49:16 +0000 (+0200)
Subject: Fix memleak in rsa_cms_sign error path
X-Git-Tag: openssl-3.1.8~148
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30d1cb63fcd72410fadcbd50c1e5e745ddc840b5;p=thirdparty%2Fopenssl.git

Fix memleak in rsa_cms_sign error path

If the call to X509_ALGOR_set0 fails then the allocated ASN1_STRING
variable passed as parameter leaks.  Fix by explicitly freeing like
how all other codepaths with X509_ALGOR_set0 do.

Fixes #22680

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24868)

(cherry picked from commit 5efc57caf229748fd4f85b05463f96b11679100d)
---

diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
index 12bc8184389..5e26e89d501 100644
--- a/crypto/cms/cms_rsa.c
+++ b/crypto/cms/cms_rsa.c
@@ -223,7 +223,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
         os = ossl_rsa_ctx_to_pss_string(pkctx);
         if (os == NULL)
             return 0;
-        return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
+        if (X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os))
+            return 1;
+        ASN1_STRING_free(os);
+        return 0;
     }
 
     params[0] = OSSL_PARAM_construct_octet_string(