Avoid leak in SSL_dup_CA_list()

In the case that X509_NAME_dup() succeeds, but sk_X509_NAME_push()
fails, name is leaked.  The entire function is trying to be clever
and therefore hard to follow.  Let's do it the stupid but safe way.

ok jsing

1 files changed, 14 insertions, 8 deletions

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 6c00b0d336..4641ac92d0 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.74 2019/03/25 17:33:26 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.75 2019/04/13 18:04:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -466,17 +466,23 @@ SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
 {
         int i;
         STACK_OF(X509_NAME) *ret;
-        X509_NAME *name;
+        X509_NAME *name = NULL;
+
+        if ((ret = sk_X509_NAME_new_null()) == NULL)
+                goto err;
 
-        ret = sk_X509_NAME_new_null();
         for (i = 0; i < sk_X509_NAME_num(sk); i++) {
-                name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
-                if ((name == NULL) || !sk_X509_NAME_push(ret, name)) {
-                        sk_X509_NAME_pop_free(ret, X509_NAME_free);
-                        return (NULL);
-                }
+                if ((name = X509_NAME_dup(sk_X509_NAME_value(sk, i))) == NULL)
+                        goto err;
+                if (!sk_X509_NAME_push(ret, name))
+                        goto err;
         }
         return (ret);
+
+ err:
+        X509_NAME_free(name);
+        sk_X509_NAME_pop_free(ret, X509_NAME_free);
+        return NULL;
 }
 
 void