Commit 070c036623 for openssl.org

commit 070c03662302088f718aa9d515b0d547b29297fb
Author: Tomas Mraz <tomas@openssl.org>
Date:   Wed Jan 21 19:11:30 2026 +0100

    rsa_enc.c: Properly duplicate the oaep_label member

    Otherwise UAF and doublefree appears when the duplicate
    is freed.
    Reported by Tomas Dulka and Stanislav Fort (Aisle Research)

    Reviewed-by: Richard Levitte <levitte@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Fri Jan 23 10:37:36 2026
    (Merged from https://github.com/openssl/openssl/pull/29707)

diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index c2768c5931..58c7671660 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -361,6 +361,12 @@ static void *rsa_dupctx(void *vprsactx)
         return NULL;
     }

+    if (dstctx->oaep_label != NULL
+        && (dstctx->oaep_label = OPENSSL_memdup(dstctx->oaep_label, dstctx->oaep_labellen)) == NULL) {
+        rsa_freectx(dstctx);
+        return NULL;
+    }
+
     return dstctx;
 }