From 8e469ebf2ebef565d3fcaa0d6ad9ac5998734e24 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Fri, 20 Mar 2026 16:39:28 +0000 Subject: [PATCH] BUG/MEDIUM: acme: fix multiple resource leaks in acme_x509_req() Several resources were leaked on both success and error paths: - X509_NAME *nm was never freed. X509_REQ_set_subject_name() makes an internal copy, so nm must be freed separately by the caller. - str_san allocated via my_strndup() was never freed on either path. - On error paths after allocation, x (X509_REQ) and exts (STACK_OF(X509_EXTENSION)) were also leaked. Fix this by adding proper cleanup of all allocated resources in both the success and error paths. Also move sk_X509_EXTENSION_pop_free() after X509_REQ_sign() so it is not skipped when sign fails, and initialize nm to NULL to make early error paths safe. Must be backported as far as 3.2. --- src/acme.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/acme.c b/src/acme.c index c3611a199..61cce4c79 100644 --- a/src/acme.c +++ b/src/acme.c @@ -2526,7 +2526,7 @@ X509_REQ *acme_x509_req(EVP_PKEY *pkey, char **san) { struct buffer *san_trash = NULL; X509_REQ *x = NULL; - X509_NAME *nm; + X509_NAME *nm = NULL; STACK_OF(X509_EXTENSION) *exts = NULL; X509_EXTENSION *ext_san; char *str_san = NULL; @@ -2569,16 +2569,21 @@ X509_REQ *acme_x509_req(EVP_PKEY *pkey, char **san) if (!X509_REQ_add_extensions(x, exts)) goto error; - sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - if (!X509_REQ_sign(x, pkey, EVP_sha256())) goto error; + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_NAME_free(nm); + free(str_san); free_trash_chunk(san_trash); return x; error: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + X509_REQ_free(x); + X509_NAME_free(nm); + free(str_san); free_trash_chunk(san_trash); return NULL;