From 7dd08a7f698b7cc00d67fdb1aa2dfcb9eb1726fa Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 2 Apr 2026 14:16:33 +0000 Subject: [PATCH] Free server certificate (x509cert) after SSL_CTX_use_certificate in OpenSSLContext SSL_CTX_use_certificate makes an internal copy, so the caller should free the original. This is the same class of bug fixed by commit 8ef5efce for client CA certificates after SSL_CTX_add_client_CA. X509_free is added on: - early return when private key parsing fails (x509cert already allocated) - error path when SSL_CTX_use_certificate fails - success path after SSL_CTX_use_certificate (copy already made internally) Co-authored-by: markt-asf --- .../apache/tomcat/util/net/openssl/panama/OpenSSLContext.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java index 28818a7ba9f0..934d1e5f74c9 100644 --- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java +++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java @@ -1248,12 +1248,15 @@ public boolean addCertificate(SSLHostConfigCertificate certificate, Arena localA PEM_read_bio_PrivateKey(keyBIO, MemorySegment.NULL, MemorySegment.NULL, MemorySegment.NULL); if (MemorySegment.NULL.equals(privateKeyAddress)) { logLastError("openssl.errorLoadingPrivateKey"); + X509_free(x509cert); return false; } if (SSL_CTX_use_certificate(state.sslCtx, x509cert) <= 0) { logLastError("openssl.errorLoadingCertificate"); + X509_free(x509cert); return false; } + X509_free(x509cert); if (SSL_CTX_use_PrivateKey(state.sslCtx, privateKeyAddress) <= 0) { logLastError("openssl.errorLoadingPrivateKey"); return false;