From d0ee8ada4dd12c17f7990feac17493ec1f931849 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 12 Jul 2024 20:49:16 +0200
Subject: [PATCH] Fix memleak in rsa_cms_sign error path

If the call to X509_ALGOR_set0 fails then the allocated ASN1_STRING
variable passed as parameter leaks.  Fix by explicitly freeing like
how all other codepaths with X509_ALGOR_set0 do.

Fixes #22680

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24868)

(cherry picked from commit 5efc57caf229748fd4f85b05463f96b11679100d)
---
 crypto/cms/cms_rsa.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
index 31436d4d687..f132df5c8a0 100644
--- a/crypto/cms/cms_rsa.c
+++ b/crypto/cms/cms_rsa.c
@@ -222,7 +222,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
         os = ossl_rsa_ctx_to_pss_string(pkctx);
         if (os == NULL)
             return 0;
-        return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
+        if (X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os))
+            return 1;
+        ASN1_STRING_free(os);
+        return 0;
     }
 
     params[0] = OSSL_PARAM_construct_octet_string(
-- 
2.47.2