From ab8af35aa2abf570d2042498751e9ac1261f26f0 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Fri, 11 Dec 2020 19:30:40 +0100
Subject: X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)
---
 crypto/x509/v3_conf.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index f8a2e3fe27..740108fefd 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -306,8 +306,8 @@ static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
 /*
  * This is the main function: add a bunch of extensions based on a config
  * file section to an extension STACK. Just check in case sk == NULL.
+ * Note that on error new elements may have been added to *sk if sk != NULL.
  */
-
 int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
                             STACK_OF(X509_EXTENSION) **sk)
 {
@@ -337,45 +337,45 @@ int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
 }
 
 /*
- * Convenience functions to add extensions to a certificate, CRL and request
+ * Add extensions to a certificate. Just check in case cert == NULL.
+ * Note that on error new elements may remain added to cert if cert != NULL.
  */
-
 int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
                          X509 *cert)
 {
     STACK_OF(X509_EXTENSION) **sk = NULL;
-    if (cert)
+    if (cert != NULL)
         sk = &cert->cert_info.extensions;
     return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
 }
 
-/* Same as above but for a CRL */
-
+/*
+ * Add extensions to a CRL. Just check in case crl == NULL.
+ * Note that on error new elements may remain added to crl if crl != NULL.
+ */
 int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
                              X509_CRL *crl)
 {
     STACK_OF(X509_EXTENSION) **sk = NULL;
-    if (crl)
+    if (crl != NULL)
         sk = &crl->crl.extensions;
     return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
 }
 
-/* Add extensions to certificate request */
-
+/*
+ * Add extensions to certificate request. Just check in case req is NULL.
+ * Note that on error new elements may remain added to req if req != NULL.
+ */
 int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
                              X509_REQ *req)
 {
-    STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
-    int i;
+    STACK_OF(X509_EXTENSION) *exts = NULL;
+    int ret = X509V3_EXT_add_nconf_sk(conf, ctx, section, &exts);
 
-    if (req)
-        sk = &extlist;
-    i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
-    if (!i || !sk)
-        return i;
-    i = X509_REQ_add_extensions(req, extlist);
-    sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
-    return i;
+    if (ret && req != NULL && exts != NULL)
+        ret = X509_REQ_add_extensions(req, exts);
+    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+    return ret;
 }
 
 /* Config database functions */
-- 
cgit v1.2.3