From b9b8a7a5df552d4e5929d4d7e38490b9aef642a9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 18 Oct 2025 00:01:26 +0200 Subject: [PATCH] openssl: fix resource leak in provider error path Pointed out by ZeroPath Closes #19111 --- lib/vtls/openssl.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 43fa417a35..2868ea85ec 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1473,6 +1473,8 @@ static int providerload(struct Curl_easy *data, OSSL_STORE_CTX *store = OSSL_STORE_open_ex(cert_file, data->state.libctx, NULL, NULL, NULL, NULL, NULL, NULL); + int rc; + if(!store) { failf(data, "Failed to open OpenSSL store: %s", ossl_strerror(ERR_get_error(), error_buffer, @@ -1501,13 +1503,15 @@ static int providerload(struct Curl_easy *data, return 0; } - if(SSL_CTX_use_certificate(ctx, cert) != 1) { + rc = SSL_CTX_use_certificate(ctx, cert); + X509_free(cert); /* we do not need the handle any more... */ + + if(rc != 1) { failf(data, "unable to set client certificate [%s]", ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); return 0; } - X509_free(cert); /* we do not need the handle any more... */ } else { failf(data, "crypto provider not set, cannot load certificate");