From 9e77a05d37d29fd564f300bf0d05678d3faf28da Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 14 Apr 2023 06:47:07 +0000 Subject: [PATCH] Fix double free in error path in openssl(1) x509 A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed one free of pkey in an unlikely error path. After the conversion pkey is no longer owned by us, so we mustn't free it. ok jsing --- usr.bin/openssl/x509.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c index e6d1ee915db..7c8f34f64ce 100644 --- a/usr.bin/openssl/x509.c +++ b/usr.bin/openssl/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.32 2023/04/09 17:28:52 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.33 2023/04/14 06:47:07 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -888,10 +888,8 @@ x509_main(int argc, char **argv) if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) goto end; - if (!X509_set_pubkey(x, pkey)) { - EVP_PKEY_free(pkey); + if (!X509_set_pubkey(x, pkey)) goto end; - } } else { x = load_cert(bio_err, cfg.infile, cfg.informat, NULL, "Certificate"); -- 2.20.1