Fix resource leak in crls_http_cb()

When the function fails to push the second CRL to the stack, it
incorrectly uses sk_X509_CRL_free() instead of sk_X509_CRL_pop_free().
This destroys the stack container but orphans previously pushed
X509_CRL objects.

Replace it with sk_X509_CRL_pop_free passing X509_CRL_free as the
cleanup routine to ensure deep deallocation of any pushed items.

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/30372)

diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index e8d868f3147d7c11b689e4a5509422556216daac..8747c03028c135ec52ded8899b8d736603d0a224 100644 (file)
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2677,7 +2677,7 @@ static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
 
 error:
     X509_CRL_free(crl);
-    sk_X509_CRL_free(crls);
+    sk_X509_CRL_pop_free(crls, X509_CRL_free);
     return NULL;
 }