From: huanghuihui0904 <625173@qq.com> Date: Mon, 16 Mar 2026 03:05:36 +0000 (+0800) Subject: crypto/x509/pcy_tree.c: fix leak of tree in X509_policy_check() X-Git-Tag: openssl-4.0.0~68 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2806ac117a8e857bbec72ae4c75e78bfc571617;p=thirdparty%2Fopenssl.git crypto/x509/pcy_tree.c: fix leak of tree in X509_policy_check() When init_ret indicates both X509_PCY_TREE_EXPLICIT and X509_PCY_TREE_EMPTY, the function returns without freeing the initialized policy tree. Free the tree before returning, consistent with the earlier TREE_EMPTY branch. Also defer *ptree = tree assignment and free the tree when user policies are empty to avoid returning invalid memory. Fixes #30435 Signed-off-by: huanghuihui0904 <625173@qq.com> Reviewed-by: Frederik Wedel-Heinen Reviewed-by: Eugene Syromiatnikov MergeDate: Fri Apr 3 15:03:37 2026 (Merged from https://github.com/openssl/openssl/pull/30436) (cherry picked from commit c3d24d9121ef12d8b1f2615e7655e07b5a624358) --- diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c index cdf39ba5c7e..ea3f8ae20b0 100644 --- a/crypto/x509/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -680,8 +680,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, } else { *pexplicit_policy = 1; /* Tree empty and requireExplicit True: Error */ - if (init_ret & X509_PCY_TREE_EMPTY) + if (init_ret & X509_PCY_TREE_EMPTY) { + X509_policy_tree_free(tree); return X509_PCY_TREE_FAILURE; + } } ret = tree_evaluate(tree); @@ -707,13 +709,15 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, if (!ret) goto error; - *ptree = tree; - if (init_ret & X509_PCY_TREE_EXPLICIT) { nodes = X509_policy_tree_get0_user_policies(tree); - if (sk_X509_POLICY_NODE_num(nodes) <= 0) + if (sk_X509_POLICY_NODE_num(nodes) <= 0) { + X509_policy_tree_free(tree); return X509_PCY_TREE_FAILURE; + } } + + *ptree = tree; return X509_PCY_TREE_VALID; error: