dane_match_cert() should X509_free() on ->mcert instead

of OPENSSL_free()

Fixes: 170b735820ac "DANE support for X509_verify_cert()"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Thu Mar  5 12:37:17 2026
(Merged from https://github.com/openssl/openssl/pull/30250)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index ed9f78c47ec2ad65eaf4c1d8755ae9e884bef13d..04fa0359cbc3ef570fc10d8b69e19c2b69e60b70 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -3408,7 +3408,7 @@ static int dane_match_cert(X509_STORE_CTX *ctx, X509 *cert, int depth)
                     break;
                 }
 
-                OPENSSL_free(dane->mcert);
+                X509_free(dane->mcert);
                 dane->mcert = cert;
                 dane->mdpth = depth;
                 dane->mtlsa = t;