From bd1a14bcaf77426fa17c2acaff48fb9a612ce680 Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Sat, 26 Jul 2025 09:28:01 -0400
Subject: [PATCH] Set *sk_resp to NULL when freeing.

Its possible for get_ocsp_resp_from_responder to return OK after having
freed *sk_resp without setting the freed pointer to NULL, leading us to
set a garbage pointer in other code.

Ensure that we set it to NULL after freeing

Addresses https://scan5.scan.coverity.com/#/project-view/60762/10222?selectedIssue=1659225

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28101)
---
 apps/s_server.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/s_server.c b/apps/s_server.c
index c09395c69b2..0360bfccdf0 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -755,8 +755,10 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
     STACK_OF(X509) *server_certs = NULL;
     OCSP_RESPONSE *resp = NULL;
 
-    if (*sk_resp != NULL)
+    if (*sk_resp != NULL) {
         sk_OCSP_RESPONSE_pop_free(*sk_resp, OCSP_RESPONSE_free);
+        *sk_resp = NULL;
+    }
 
     SSL_get0_chain_certs(s, &server_certs);
     /*
-- 
2.47.2