From: Niels Dossche Subject: [PATCH] libressl: Fix memory leak in nref_nos on error To: tech@openbsd.org Date: Mon, 3 Nov 2025 17:06:32 +0100 Hi This patch fixes a memory leak when an error occurs in nref_nos when calling sk_ASN1_INTEGER_push in libressl. If the push operation fails, aint is never freed. While here, also use the proper operation in sk_ASN1_INTEGER_pop_free, although they're synonyms so it doesn't really matter except for code style. This issue was found via an experimental static analyzer I'm working on, and I manually read the code to verify whether this is a real bug or not. --------------------------------------------------------------------------- diff --git lib/libcrypto/x509/x509_cpols.c lib/libcrypto/x509/x509_cpols.c index b6a456023fb..b3e8a992c04 100644 --- lib/libcrypto/x509/x509_cpols.c +++ lib/libcrypto/x509/x509_cpols.c @@ -680,8 +680,10 @@ nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos) X509V3error(X509V3_R_INVALID_NUMBER); goto err; } - if (!sk_ASN1_INTEGER_push(nnums, aint)) + if (!sk_ASN1_INTEGER_push(nnums, aint)) { + ASN1_INTEGER_free(aint); goto merr; + } } return 1; @@ -689,7 +691,7 @@ merr: X509V3error(ERR_R_MALLOC_FAILURE); err: - sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free); + sk_ASN1_INTEGER_pop_free(nnums, ASN1_INTEGER_free); return 0; }