From: 007bsd <22483432+007bsd@users.noreply.github.com> Date: Tue, 23 Jun 2026 18:42:33 +0000 (+0300) Subject: crypto/x509/v3_ncons.c: fix scheme buffer leak in nc_uri() for schemeless URIs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8be7309f34eecac16b23edfa2ea8de7c52a33b3d;p=thirdparty%2Fopenssl.git crypto/x509/v3_ncons.c: fix scheme buffer leak in nc_uri() for schemeless URIs OSSL_parse_url() allocates a 1-byte empty-string buffer for the scheme even when the URI has no scheme. The empty-scheme error branch freed uri_copy and jumped to end: which only frees host, leaving scheme unfreed. Add OPENSSL_free(scheme) before the goto. Assisted-by: Claude:claude-sonnet-4-6 CLA: trivial Fixes: e599893a9fec "x509: allow SAN URIs to contain userinfo" Reviewed-by: Tomas Mraz Reviewed-by: Nikola Pajkovsky Reviewed-by: Eugene Syromiatnikov MergeDate: Fri Jun 26 15:26:09 2026 (Merged from https://github.com/openssl/openssl/pull/31678) --- diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c index 1a9cf611224..8217bedc7bd 100644 --- a/crypto/x509/v3_ncons.c +++ b/crypto/x509/v3_ncons.c @@ -791,6 +791,7 @@ static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) if (scheme == NULL || *scheme == '\0') { ERR_raise_data(ERR_LIB_X509V3, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, "x509: missing scheme in URI: %s\n", uri_copy); + OPENSSL_free(scheme); OPENSSL_free(uri_copy); ret = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto end;