From: Theo Buehler <tb@theobuehler.org>
Subject: Re: [PATCH] libressl: fix memory leak in x509_name_encode on error
To: Niels Dossche <dossche.niels@gmail.com>
Cc: tech@openbsd.org
Date: Wed, 19 Mar 2025 14:05:34 +0100

On Wed, Mar 19, 2025 at 01:47:24PM +0100, Niels Dossche wrote:
> Hi
> 
> This patch fixes a memory leak when an error occurs in x509_name_encode in libressl.

Thanks. While this patch is correct, I think it only addresses a tiny
aspect of all that's wrong in this function... What a horror show. I
need to think about this for a few days.

> 
> This issue was found via an experimental static analyzer I'm working on,
> and I manually read the code to verify whether this is a real bug or not.
> 
> 
> ---------------------------------------------------------------------------
> diff --git lib/libcrypto/asn1/x_name.c lib/libcrypto/asn1/x_name.c
> index 7bacd833404..b472ec88c74 100644
> --- lib/libcrypto/asn1/x_name.c
> +++ lib/libcrypto/asn1/x_name.c
> @@ -414,8 +414,10 @@ x509_name_encode(X509_NAME *a)
>  			if (!entries)
>  				goto memerr;
>  			if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s,
> -			    entries))
> +			    entries)) {
> +				sk_X509_NAME_ENTRY_free(entries);
>  				goto memerr;
> +			}
>  			set = entry->set;
>  		}
>  		if (entries == NULL /* if entry->set is bogusly -1 */ ||
>