Fix an error path leak in int X509_ATTRIBUTE_set1_data()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5000a6d1215ea7d6ed6179d0bcd44263f6e3c26b)

diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index bd59281f9dac62a909b6002ef6fcd5915fbf45dc..25010753078cf44f2befed9ef4bf0f78137f41bb 100644 (file)
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -296,7 +296,7 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj)
 int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
                              const void *data, int len)
 {
-    ASN1_TYPE *ttmp;
+    ASN1_TYPE *ttmp = NULL;
     ASN1_STRING *stmp = NULL;
     int atype = 0;
     if (!attr)
@@ -324,20 +324,26 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
      * least one value but some types use and zero length SET and require
      * this.
      */
-    if (attrtype == 0)
+    if (attrtype == 0) {
+        ASN1_STRING_free(stmp);
         return 1;
+    }
     if (!(ttmp = ASN1_TYPE_new()))
         goto err;
     if ((len == -1) && !(attrtype & MBSTRING_FLAG)) {
         if (!ASN1_TYPE_set1(ttmp, attrtype, data))
             goto err;
-    } else
+    } else {
         ASN1_TYPE_set(ttmp, atype, stmp);
+        stmp = NULL;
+    }
     if (!sk_ASN1_TYPE_push(attr->value.set, ttmp))
         goto err;
     return 1;
  err:
     X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
+    ASN1_TYPE_free(ttmp);
+    ASN1_STRING_free(stmp);
     return 0;
 }