jcs.org
jcs's openbsd hax
openbsd
Fix double free in certificate policies configuration
In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.
ok jsing kenjiro
+7
-12
+7
-12
lib/libcrypto/x509/x509_cpols.c
+7
-12
lib/libcrypto/x509/x509_cpols.c
···
1
-
/* $OpenBSD: x509_cpols.c,v 1.19 2025/11/03 16:36:15 tb Exp $ */
1
+
/* $OpenBSD: x509_cpols.c,v 1.20 2025/11/28 06:03:40 tb Exp $ */
2
2
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3
3
* project 1999.
4
4
*/
···
676
676
677
677
for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
678
678
cnf = sk_CONF_VALUE_value(nos, i);
679
-
if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
679
+
if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
680
680
X509V3error(X509V3_R_INVALID_NUMBER);
681
-
goto err;
681
+
return 0;
682
682
}
683
-
if (!sk_ASN1_INTEGER_push(nnums, aint)) {
683
+
if (sk_ASN1_INTEGER_push(nnums, aint) <= 0) {
684
+
X509V3error(ERR_R_MALLOC_FAILURE);
684
685
ASN1_INTEGER_free(aint);
685
-
goto merr;
686
+
return 0;
686
687
}
687
688
}
688
-
return 1;
689
-
690
-
merr:
691
-
X509V3error(ERR_R_MALLOC_FAILURE);
692
689
693
-
err:
694
-
sk_ASN1_INTEGER_pop_free(nnums, ASN1_INTEGER_free);
695
-
return 0;
690
+
return 1;
696
691
}
697
692
698
693
static int