Commit 2229aad774 for openssl.org
commit 2229aad774f6c7b7863b68320abf9a9cd134ab3c
Author: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Tue Jun 30 19:12:18 2026 +0900
apps/s_server.c: fix SSL object leak on rpk_enable() failure
In www_body() and rev_body(), con = SSL_new(ctx) is called before
rpk_enable(con), but ownership of con is transferred to ssl_bio only
later by BIO_set_ssl(..., BIO_CLOSE). If rpk_enable() fails, the code
jumps to err: before that transfer without freeing con, leaking the SSL
object.
Add SSL_free(con) before goto err in both rpk_enable() failure paths,
matching the adjacent SSL_set_session_id_context() and BIO_new_socket()
error paths. sv_body() is unaffected because its err: block already
frees con.
The global rpk_files is not leaked. Its lifetime is managed
by s_server_main(), which frees it in the end cleanup block.
Resolves: https://github.com/openssl/openssl/issues/31769
Reviewed-by: Matt Caswell <matt@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Wed Jul 1 12:04:13 2026
(Merged from https://github.com/openssl/openssl/pull/31789)
diff --git a/apps/s_server.c b/apps/s_server.c
index 43b212df7a..e1c601589b 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -4020,6 +4020,7 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (rpk_files != NULL && !rpk_enable(con)) {
BIO_puts(bio_err, "Error enabling client RPK verification\n");
+ SSL_free(con);
goto err;
}
@@ -4543,6 +4544,7 @@ static int rev_body(int s, int stype, int prot, unsigned char *context)
if (rpk_files != NULL && !rpk_enable(con)) {
BIO_puts(bio_err, "Error enabling client RPK verification\n");
ERR_print_errors(bio_err);
+ SSL_free(con);
goto err;
}