Plug memory leak in weed-expired-certs code.

X509_STORE_add_cert() creates a copy of the certificate we're offering,
so we need to free our copy afterwards.  This isn't documented, but from
observed behaviour in OpenSSL 1.0.2 and its master branch source code.

Change PEM_read_X509() call to reuse cert to avoid free/reallocation
overhead.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 3b583983a79499caeb9be4e311914de3ec2860f6..3d310b2b0bc6146e358bfeb14da8282107e8a867 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -95,7 +95,7 @@ static int ssl_negotiate (CONNECTION *conn, sslsockdata*);
 static int ssl_load_certificates (SSL_CTX *ctx)
 {
   FILE *fp;
-  X509 *cert;
+  X509 *cert = NULL;
   X509_STORE *store;
   char buf[STRING];
 
@@ -110,18 +110,20 @@ static int ssl_load_certificates (SSL_CTX *ctx)
   if ((fp = fopen (SslCertFile, "rt")) == NULL)
     return 0;
 
-  while ((cert = PEM_read_X509 (fp, NULL, NULL, NULL)) != NULL)
+  while (NULL != PEM_read_X509 (fp, &cert, NULL, NULL))
   {
     if ((X509_cmp_current_time (X509_get_notBefore (cert)) >= 0) ||
         (X509_cmp_current_time (X509_get_notAfter (cert)) <= 0))
     {
       mutt_debug (2, "ssl_load_certificates: filtering expired cert: %s\n",
               X509_NAME_oneline (X509_get_subject_name (cert), buf, sizeof (buf)));
-      X509_free (cert);
     }
     else
+    {
       X509_STORE_add_cert (store, cert);
+    }
   }
+  X509_free (cert);
   safe_fclose (&fp);
 
   return 1;