A tiny patch for a giant function. This kind of looks right, based on
some other examples in the function, but it's hard to say for sure
since this one function (X509_verify_cert; is that important?) has
about a dozen different exit points which free or don't free any
number of variables, stacks, chains, etc.
Index: x509_vfy.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/x509/x509_vfy.c,v
retrieving revision 1.27
diff -u -p -r1.27 x509_vfy.c
--- x509_vfy.c 12 Jun 2014 15:49:31 -0000 1.27
+++ x509_vfy.c 18 Jun 2014 18:09:51 -0000
@@ -313,7 +313,11 @@ X509_verify_cert(X509_STORE_CTX *ctx)
ctx->current_cert = x;
} else {
- sk_X509_push(ctx->chain, chain_ss);
+ if (!sk_X509_push(ctx->chain, chain_ss)) {
+ X509_free(chain_ss);
+ X509err(X509_F_X509_VERIFY_CERT,
ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
num++;
ctx->last_untrusted = num;
ctx->current_cert = chain_ss;
