Fix a double free in v2i_NAME_CONSTRAINTS()

a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free
ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly.

Issue reported by Volker Schlecht

ok jsing

diff --git a/lib/libcrypto/x509/x509_alt.c b/lib/libcrypto/x509/x509_alt.c
index a7c1a8c..9dbca9d 100644 (file)
--- a/lib/libcrypto/x509/x509_alt.c
+++ b/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.5 2021/10/28 10:58:23 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.6 2022/02/11 17:37:54 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -686,7 +686,8 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
        }
        return ret;
  err:
-       GENERAL_NAME_free(ret);
+       if (out == NULL)
+               GENERAL_NAME_free(ret);
        return NULL;
 }