From 5a0fbbf1ca827b85900d2c8da3a30ff715dfc877 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 23 Mar 2026 11:42:43 +0100
Subject: [PATCH] BUG/MINOR: acme: leak of ext_san upon insertion error

This patch fixes a leak of the ext_san structure when
sk_X509_EXTENSION_push() failed. sk_X509_EXTENSION_pop_free() is already
suppose to free it, so ext_san must be set to NULL upon success to avoid
a double-free.

Must be backported to 3.2 and later.
---
 src/acme.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/acme.c b/src/acme.c
index 61cce4c79..33afa567d 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2528,7 +2528,7 @@ X509_REQ *acme_x509_req(EVP_PKEY *pkey, char **san)
 	X509_REQ *x = NULL;
 	X509_NAME *nm = NULL;
 	STACK_OF(X509_EXTENSION) *exts = NULL;
-	X509_EXTENSION *ext_san;
+	X509_EXTENSION *ext_san = NULL;
 	char *str_san = NULL;
 	int i = 0;
 
@@ -2566,6 +2566,9 @@ X509_REQ *acme_x509_req(EVP_PKEY *pkey, char **san)
 
 	if (!sk_X509_EXTENSION_push(exts, ext_san))
 		goto error;
+
+	ext_san = NULL; /* handle double-free upon error */
+
 	if (!X509_REQ_add_extensions(x, exts))
 		goto error;
 
@@ -2580,6 +2583,7 @@ X509_REQ *acme_x509_req(EVP_PKEY *pkey, char **san)
 	return x;
 
 error:
+	X509_EXTENSION_free(ext_san);
 	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
 	X509_REQ_free(x);
 	X509_NAME_free(nm);