From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Thu, 4 Mar 2021 20:17:31 +0000 (+0100)
Subject: X509 build_chain(): Fix two potential memory leaks on issuer variable
X-Git-Tag: openssl-3.0.0-alpha17~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=558f2a014646bb057f3876b28e32b13d8178400e;p=thirdparty%2Fopenssl.git

X509 build_chain(): Fix two potential memory leaks on issuer variable

This also removes an inadequate guard: if (num == ctx->num_untrusted)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
---

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 054dffc7dc7..ddb3378eee3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -2965,10 +2965,10 @@ static int dane_verify(X509_STORE_CTX *ctx)
 }
 
 /*
- * Get issuer, without duplicate suppression
+ * Get trusted issuer, without duplicate suppression
  * Returns -1 on internal error.
  */
-static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
+static int get1_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
 {
     STACK_OF(X509) *saved_chain = ctx->chain;
     int ok;
@@ -3090,8 +3090,8 @@ static int build_chain(X509_STORE_CTX *ctx)
             }
             curr = sk_X509_value(ctx->chain, i - 1);
 
-            /* Note: get_issuer() must be used even if curr is self-signed. */
-            ok = num > max_depth ? 0 : get_issuer(&issuer, ctx, curr);
+            /* Note: get1_trusted_issuer() must be used even if self-signed. */
+            ok = num > max_depth ? 0 : get1_trusted_issuer(&issuer, ctx, curr);
 
             if (ok < 0) {
                 trust = -1;
@@ -3102,8 +3102,10 @@ static int build_chain(X509_STORE_CTX *ctx)
             if (ok > 0) {
                 int self_signed = X509_self_signed(curr, 0);
 
-                if (self_signed < 0)
+                if (self_signed < 0) {
+                    X509_free(issuer);
                     goto int_err;
+                }
                 /*
                  * Alternative trusted issuer for a mid-chain untrusted cert?
                  * Pop the untrusted cert's successors and retry.  We might now
@@ -3150,7 +3152,7 @@ static int build_chain(X509_STORE_CTX *ctx)
                     }
                     if ((self_signed = X509_self_signed(issuer, 0)) < 0)
                         goto int_err;
-                } else if (num == ctx->num_untrusted) {
+                } else {
                     /*
                      * We have a self-signed certificate that has the same
                      * subject name (and perhaps keyid and/or serial number) as