From 5a7c0586b3d725c15633e7c157ad00803fe62cd4 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 28 Nov 2025 06:03:40 +0000
Subject: Fix double free in certificate policies configuration

In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.

ok jsing kenjiro
---
 src/lib/libcrypto/x509/x509_cpols.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index e075f462ad..25a40b0739 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.19 2025/11/03 16:36:15 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.20 2025/11/28 06:03:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -676,23 +676,18 @@ nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
 
 	for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
 		cnf = sk_CONF_VALUE_value(nos, i);
-		if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+		if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
 			X509V3error(X509V3_R_INVALID_NUMBER);
-			goto err;
+			return 0;
 		}
-		if (!sk_ASN1_INTEGER_push(nnums, aint)) {
+		if (sk_ASN1_INTEGER_push(nnums, aint) <= 0) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
 			ASN1_INTEGER_free(aint);
-			goto merr;
+			return 0;
 		}
 	}
-	return 1;
-
- merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
 
- err:
-	sk_ASN1_INTEGER_pop_free(nnums, ASN1_INTEGER_free);
-	return 0;
+	return 1;
 }
 
 static int
-- 
cgit v1.2.3-55-g6feb