Fix a possible memory leak in ct_move_scts

Instead of trying to move the doomed sct back to the src stack, which may fail as well, simply free the sct object, as the src list will be deleted anyway. Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22762)
2025-01-24 13:55:42 +08:00 · 2023-11-17 14:47:36 +01:00 · 2023-11-17 14:47:36 +01:00 · a435d78604
commit a435d78604
parent d7c0fc5b1a
1 changed files with 4 additions and 3 deletions
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -6056,6 +6056,8 @@ IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
 * If |dst| points to a NULL pointer, a new stack will be created and owned by
 * the caller.
 * Returns the number of SCTs moved, or a negative integer if an error occurs.
+ * The |dst| stack is created and possibly partially populated even in case
+ * of error, likewise the |src| stack may be left in an intermediate state.
 */
 static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
                        sct_source_t origin)
@ -6075,15 +6077,14 @@ static int ct_move_scts(STACK_OF(SCT) **dst, STACK_OF(SCT) *src,
        if (SCT_set_source(sct, origin) != 1)
            goto err;

-        if (sk_SCT_push(*dst, sct) <= 0)
+        if (!sk_SCT_push(*dst, sct))
            goto err;
        scts_moved += 1;
    }

    return scts_moved;
 err:
-    if (sct != NULL)
-        sk_SCT_push(src, sct);  /* Put the SCT back */
+    SCT_free(sct);
    return -1;
 }