From 7553d37f566450a198f4ed53c39672be6ad1f9a6 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 11 Feb 2022 17:37:54 +0000
Subject: Fix a double free in v2i_NAME_CONSTRAINTS()

a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free
ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly.

Issue reported by Volker Schlecht

ok jsing
---
 src/lib/libcrypto/x509/x509_alt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index a7c1a8c6a1..9dbca9d1e9 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.5 2021/10/28 10:58:23 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.6 2022/02/11 17:37:54 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -686,7 +686,8 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
 	}
 	return ret;
  err:
-	GENERAL_NAME_free(ret);
+	if (out == NULL)
+		GENERAL_NAME_free(ret);
 	return NULL;
 }
 
-- 
cgit v1.2.3-55-g6feb