Commit 1f5a44a66d for openssl.org

commit 1f5a44a66df44751d999fc90751ce098975f18a6
Author: 007bsd <22483432+007bsd@users.noreply.github.com>
Date:   Tue Jun 23 21:42:29 2026 +0300

    crypto/x509/pcy_cache.c: fix ext_pcons leak in policy_cache_new()

    Two early-return paths in policy_cache_new() bypass the just_cleanup:
    label and leak the POLICY_CONSTRAINTS object ext_pcons: (1) when
    certificatePolicies is absent but policyConstraints is present, and
    (2) when policy_cache_create() returns <= 0.  Free ext_pcons before
    each early return.

    Assisted-by: Claude:claude-sonnet-4-6
    CLA: trivial
    Fixes: 4acc3e907d29 "Initial support for certificate policy checking and evaluation."

    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Fri Jun 26 15:26:07 2026
    (Merged from https://github.com/openssl/openssl/pull/31678)

diff --git a/crypto/x509/pcy_cache.c b/crypto/x509/pcy_cache.c
index d1ee35377b..bffa96fd6c 100644
--- a/crypto/x509/pcy_cache.c
+++ b/crypto/x509/pcy_cache.c
@@ -134,6 +134,7 @@ static int policy_cache_new(X509 *x)
         /* If not absent some problem with extension */
         if (i != -1)
             goto bad_cache;
+        POLICY_CONSTRAINTS_free(ext_pcons);
         return 1;
     }

@@ -141,8 +142,10 @@ static int policy_cache_new(X509 *x)

     /* NB: ext_cpols freed by policy_cache_set_policies */

-    if (i <= 0)
+    if (i <= 0) {
+        POLICY_CONSTRAINTS_free(ext_pcons);
         return i;
+    }

     ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);