From: Dr. David von Oheimb Date: Mon, 15 Feb 2021 09:24:58 +0000 (+0100) Subject: x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 X-Git-Tag: openssl-3.0.0-alpha12~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=adc11e1b9cf12df3c67de165a2b42ac72266cbca;p=thirdparty%2Fopenssl.git x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068 Fixes: Variable "sk_untrusted" going out of scope leaks the storage it points to. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14187) --- diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 4e192abec4b..d5c09d28f44 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -3035,12 +3035,9 @@ static int build_chain(X509_STORE_CTX *ctx) * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add * them to our working copy of the untrusted certificate stack. */ - if (DANETLS_ENABLED(dane) && dane->certs != NULL) { - if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) { - sk_X509_free(sk_untrusted); - goto memerr; - } - } + if (DANETLS_ENABLED(dane) && dane->certs != NULL + && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) + goto memerr; /* * Still absurdly large, but arithmetically safe, a lower hard upper bound @@ -3306,14 +3303,15 @@ static int build_chain(X509_STORE_CTX *ctx) } int_err: - sk_X509_free(sk_untrusted); ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ctx->error = X509_V_ERR_UNSPECIFIED; + sk_X509_free(sk_untrusted); return -1; memerr: ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE); ctx->error = X509_V_ERR_OUT_OF_MEM; + sk_X509_free(sk_untrusted); return -1; }