From: huanghuihui0904 <625173@qq.com>
Date: Mon, 16 Mar 2026 02:35:48 +0000 (+0800)
Subject: apps/lib/tlssrp_depr.c: fix leak of vb in set_up_srp_verifier_file()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9a24a30e9b85ba2567c5adebc789947955c41a6;p=thirdparty%2Fopenssl.git

apps/lib/tlssrp_depr.c: fix leak of vb in set_up_srp_verifier_file()

set_up_srp_verifier_file() allocates srp_callback_parm->vb via SRP_VBASE_new().
If SRP_VBASE_init() fails, vb must be freed before returning.

Additionally, add SRP_VBASE_free() to the end: cleanup path in s_server.c so
that vb is also freed on normal program exit.

Solves https://github.com/openssl/openssl/issues/30362
Fixes #30362

Signed-off-by: huanghuihui0904 <625173@qq.com>

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.foundation>
MergeDate: Wed May 13 07:20:48 2026
(Merged from https://github.com/openssl/openssl/pull/30434)
---

diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
index 6432a2032a5..c46f6327e95 100644
--- a/apps/include/s_apps.h
+++ b/apps/include/s_apps.h
@@ -113,6 +113,7 @@ typedef struct srpsrvparm_st {
 
 int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
     char *srpuserseed, char *srp_verifier_file);
+void cleanup_srp(srpsrvparm *srp_callback_parm);
 void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
 #endif /* OPENSSL_NO_SRP */
 
diff --git a/apps/lib/tlssrp_depr.c b/apps/lib/tlssrp_depr.c
index cc36365748c..eb9f3a18145 100644
--- a/apps/lib/tlssrp_depr.c
+++ b/apps/lib/tlssrp_depr.c
@@ -203,6 +203,8 @@ int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
         BIO_printf(bio_err,
             "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
             srp_verifier_file, ret);
+        SRP_VBASE_free(srp_callback_parm->vb);
+        srp_callback_parm->vb = NULL;
         return 0;
     }
     SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
@@ -224,3 +226,11 @@ void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out)
     else
         BIO_puts(bio_s_out, "LOOKUP not successful\n");
 }
+
+void cleanup_srp(srpsrvparm *srp_callback_parm)
+{
+    SRP_user_pwd_free(srp_callback_parm->user);
+    srp_callback_parm->user = NULL;
+    SRP_VBASE_free(srp_callback_parm->vb);
+    srp_callback_parm->vb = NULL;
+}
diff --git a/apps/s_server.c b/apps/s_server.c
index e8f431cd0a7..ebb8514fef3 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -3131,6 +3131,9 @@ int s_server_main(int argc, char *argv[])
     ret = 0;
 end:
     SSL_CTX_free(ctx);
+#ifndef OPENSSL_NO_SRP
+    cleanup_srp(&srp_callback_parm);
+#endif
     SSL_SESSION_free(psksess);
     set_keylog_file(NULL, NULL);
     X509_free(s_cert);