From 030b8689c5e2131d8db812703be39b34a6472284 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 14 Apr 2023 06:47:07 +0000
Subject: Fix double free in error path in openssl(1) x509

A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed
one free of pkey in an unlikely error path. After the conversion pkey is
no longer owned by us, so we mustn't free it.

ok jsing
---
 src/usr.bin/openssl/x509.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index e6d1ee915d..7c8f34f64c 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.32 2023/04/09 17:28:52 tb Exp $ */
+/* $OpenBSD: x509.c,v 1.33 2023/04/14 06:47:07 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -888,10 +888,8 @@ x509_main(int argc, char **argv)
 
 		if ((pkey = X509_REQ_get0_pubkey(req)) == NULL)
 			goto end;
-		if (!X509_set_pubkey(x, pkey)) {
-			EVP_PKEY_free(pkey);
+		if (!X509_set_pubkey(x, pkey))
 			goto end;
-		}
 	} else {
 		x = load_cert(bio_err, cfg.infile, cfg.informat, NULL,
 		    "Certificate");
-- 
cgit v1.2.3-55-g6feb