Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()

In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.

The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.

Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.

Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs"
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:26:50 2026
(Merged from https://github.com/openssl/openssl/pull/30463)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 16fa0b0e38edd35acf9a12fddac876ebada09613..10f91814ea6da904a014d814595b6f66c79fa56f 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -508,8 +508,8 @@ OCSP_RESPONSE *ossl_get_ocsp_response(SSL_CONNECTION *s, int chainidx)
              * happening because of test cases.
              */
             ERR_set_mark();
-            if (((bs = OCSP_response_get1_basic(resp)) != NULL)
-                && ((sr = OCSP_resp_get0(bs, 0)) != NULL)) {
+            bs = OCSP_response_get1_basic(resp);
+            if (bs != NULL && (sr = OCSP_resp_get0(bs, 0)) != NULL) {
                 /* use the first single response to get the algorithm used */
                 cid = (OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sr);
 
@@ -565,6 +565,8 @@ OCSP_RESPONSE *ossl_get_ocsp_response(SSL_CONNECTION *s, int chainidx)
                  */
                 if (i == num)
                     resp = NULL;
+            } else {
+                OCSP_BASICRESP_free(bs);
             }
 
             /*