From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 19 Aug 2025 07:12:37 +0000 (+0200)
Subject: Avoid doublefree of OCSP_SINGLERESP
X-Git-Tag: openssl-3.6.0-alpha1~87
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eaacf56ba97e8089344bc85f8a50b00932cd3416;p=thirdparty%2Fopenssl.git

Avoid doublefree of OCSP_SINGLERESP

It is referenced by OCSP_BASICRESP and will be
freed when that is freed.

Issue and a proposed fix reported by Stanislav Fort (Aisle Research).

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28300)
---

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index ce95a748c7e..da99fd26312 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -6461,9 +6461,6 @@ static int ct_extract_ocsp_response_scts(SSL_CONNECTION *s)
 
             scts = OCSP_SINGLERESP_get1_ext_d2i(single,
                                                 NID_ct_cert_scts, NULL, NULL);
-
-            OCSP_SINGLERESP_free(single);
-
             if (scts == NULL)  {
                 scts_extracted = -1;
                 goto err;