gnutls_x509_trust_list_add_trust_mem: fix behavior with unaccounted certs

If gnutls_x509_trust_list_add_cas returns less than clist_size, the additional
unaccounted certificates will never be freed.

Relates #552

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 8c75b26414..8ba2f2a3ee 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -58,6 +58,9 @@
  * This function will add the given certificate authorities
  * to the trusted list. 
  *
+ * If this function is used gnutls_x509_trust_list_deinit() must be called
+ * with parameter @all being 1.
+ *
  * Returns: The number of added elements is returned.
  *
  * Since: 3.1
@@ -76,6 +79,9 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
 	unsigned int x509_ncas, x509_ncrls;
 	unsigned int r = 0;
 
+	/* When adding CAs or CRLs, we use the GNUTLS_TL_NO_DUPLICATES flag to ensure
+	 * that unaccounted certificates/CRLs are deinitialized. */
+
 	if (cas != NULL && cas->data != NULL) {
 		ret =
 		    gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,
@@ -85,7 +91,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
 
 		ret =
 		    gnutls_x509_trust_list_add_cas(list, x509_ca_list,
-						   x509_ncas, tl_flags);
+						   x509_ncas, tl_flags|GNUTLS_TL_NO_DUPLICATES);
 		gnutls_free(x509_ca_list);
 
 		if (ret < 0)