Commit 84347b9494 for openssl.org
commit 84347b949455c36a5f716d401e9f864e4e3af0cc
Author: Weidong Wang <kenazcharisma@gmail.com>
Date: Tue Mar 17 11:21:52 2026 -0500
Fix OCSP_BASICRESP memory leak in ossl_get_ocsp_response()
In ossl_get_ocsp_response(), the OCSP_BASICRESP allocated by
OCSP_response_get1_basic() is never freed when the OCSP response
contains zero SingleResponse entries.
The allocation and guard were combined in a single && expression,
so when OCSP_resp_get0(bs, 0) returns NULL, short-circuit evaluation
skips the block containing OCSP_BASICRESP_free(bs), leaking bs on
every handshake with such a response.
Fix by splitting the allocation out of the condition and adding an
else branch that frees bs when the SingleResponse check fails.
Fixes: b1b4b154fd38 "Add support for TLS 1.3 OCSP multi-stapling for server certs"
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
MergeDate: Sat Mar 21 22:23:27 2026
(Merged from https://github.com/openssl/openssl/pull/30463)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 288fc31f8f..84e8b92a1e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -494,8 +494,8 @@ OCSP_RESPONSE *ossl_get_ocsp_response(SSL_CONNECTION *s, int chainidx)
* happening because of test cases.
*/
ERR_set_mark();
- if (((bs = OCSP_response_get1_basic(resp)) != NULL)
- && ((sr = OCSP_resp_get0(bs, 0)) != NULL)) {
+ bs = OCSP_response_get1_basic(resp);
+ if (bs != NULL && (sr = OCSP_resp_get0(bs, 0)) != NULL) {
/* use the first single response to get the algorithm used */
cid = (OCSP_CERTID *)OCSP_SINGLERESP_get0_id(sr);
@@ -551,6 +551,8 @@ OCSP_RESPONSE *ossl_get_ocsp_response(SSL_CONNECTION *s, int chainidx)
*/
if (i == num)
resp = NULL;
+ } else {
+ OCSP_BASICRESP_free(bs);
}
/*