From 781e5949d3808c3f16081c013a17c260fea33b72 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Thu, 9 Jul 2026 16:48:11 -0700 Subject: [PATCH] fix: plug pkey/ca leak in CA setup error paths --- src/x509/clu_ca_setup.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/x509/clu_ca_setup.c b/src/x509/clu_ca_setup.c index 786b525f..7d745d5c 100644 --- a/src/x509/clu_ca_setup.c +++ b/src/x509/clu_ca_setup.c @@ -286,6 +286,7 @@ int wolfCLU_CASetup(int argc, char** argv) if (selfSigned) { wolfCLU_CertSignSetCA(signer, x509, pkey, wolfCLU_GetTypeFromPKEY(pkey)); + pkey = NULL; /* ownership transferred to signer */ } else if (altSign) { char* subjName = wolfSSL_X509_NAME_oneline( @@ -302,6 +303,8 @@ int wolfCLU_CASetup(int argc, char** argv) else { wolfCLU_CertSignSetCA(signer, ca, pkey, wolfCLU_GetTypeFromPKEY(pkey)); + ca = NULL; /* ownership transferred to signer */ + pkey = NULL; /* ownership transferred to signer */ } } @@ -335,9 +338,12 @@ int wolfCLU_CASetup(int argc, char** argv) if (!selfSigned) { wolfSSL_X509_free(x509); } - if ((selfSigned || altSign) && ca != NULL) { + if (ca != NULL) { wolfSSL_X509_free(ca); } + if (pkey != NULL) { + wolfSSL_EVP_PKEY_free(pkey); + } /* check for success on signer free since random data is output */ if (wolfCLU_CertSignFree(signer) != WOLFCLU_SUCCESS) {