Don't leak memory in the event of a failure in i2v_GENERAL_NAMES

i2v_GENERAL_NAMES call i2v_GENERAL_NAME repeatedly as required. Each time i2v_GENERAL_NAME gets called it allocates adds data to the passed in stack and then returns a pointer to the stack, or NULL on failure. If the passed in stack is itself NULL then it allocates one. i2v_GENERAL_NAMES was not correctly handling the case where a NULL gets returned from i2v_GENERAL_NAME. If a stack had already been allocated then it just leaked it. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10300)
2025-01-18 13:44:20 +08:00 · 2019-10-30 13:20:33 +00:00 · 2019-10-30 13:20:33 +00:00 · 45b244620a
commit 45b244620a
parent dcea51afe9
1 changed files with 15 additions and 2 deletions
--- a/crypto/x509/v3_alt.c
+++ b/crypto/x509/v3_alt.c
@ -52,11 +52,24 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
 {
    int i;
    GENERAL_NAME *gen;
+    STACK_OF(CONF_VALUE) *tmpret = NULL, *origret = ret;
+
    for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
        gen = sk_GENERAL_NAME_value(gens, i);
-        ret = i2v_GENERAL_NAME(method, gen, ret);
+        /*
+         * i2v_GENERAL_NAME allocates ret if it is NULL. If something goes
+         * wrong we need to free the stack - but only if it was empty when we
+         * originally entered this function.
+         */
+        tmpret = i2v_GENERAL_NAME(method, gen, ret);
+        if (tmpret == NULL) {
+            if (origret == NULL)
+                sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);
+            return NULL;
+        }
+        ret = tmpret;
    }
-    if (!ret)
+    if (ret == NULL)
        return sk_CONF_VALUE_new_null();
    return ret;
 }