From a57509ef7c4983721193ac325ad5fb1783ea0f57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Tue, 12 Feb 2019 15:14:07 +0100
Subject: [PATCH 2/3] Remove redundant resets of variables after free()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

CVE: CVE-2019-3829
Upstream-Status: Backport
[https://gitlab.com/gnutls/gnutls/commit/372821c883a3d36ed3ed683844ad9d90818f6392]

Signed-off-by: Dan Tran <dantran@microsoft.com>
---
 lib/auth.c                                        |  3 ---
 lib/auth/rsa.c                                    |  2 ++
 lib/auth/rsa_psk.c                                |  1 -
 lib/auth/srp_sb64.c                               |  2 --
 lib/cert-cred-x509.c                              |  3 ---
 lib/cert-cred.c                                   |  3 ---
 lib/hello_ext.c                                   |  5 ++---
 lib/mpi.c                                         |  1 -
 lib/nettle/mpi.c                                  |  2 --
 lib/nettle/pk.c                                   |  3 ---
 lib/ocsp-api.c                                    |  1 -
 lib/pk.c                                          |  2 --
 lib/pkcs11.c                                      |  1 -
 lib/pkcs11_privkey.c                              |  6 +-----
 lib/pkcs11_write.c                                |  1 -
 lib/session_pack.c                                |  2 --
 lib/srp.c                                         |  1 -
 lib/str.c                                         |  2 +-
 lib/tls13/certificate_request.c                   |  2 --
 lib/tpm.c                                         |  2 --
 lib/x509/ocsp.c                                   | 15 +++------------
 lib/x509/pkcs12_bag.c                             |  1 -
 lib/x509/pkcs7-crypt.c                            |  1 -
 lib/x509/pkcs7.c                                  |  6 ------
 lib/x509/privkey_pkcs8.c                          |  1 -
 lib/x509/verify-high2.c                           |  1 -
 lib/x509/virt-san.c                               |  1 -
 lib/x509/x509.c                                   |  4 ----
 lib/x509/x509_ext.c                               |  1 -
 lib/x509_b64.c                                    |  1 -
 tests/cert.c                                      |  2 --
 tests/name-constraints-ip.c                       |  3 +--
 tests/pkcs11/pkcs11-import-url-privkey.c          |  2 --
 tests/pkcs11/pkcs11-privkey-always-auth.c         |  2 --
 tests/pkcs11/pkcs11-privkey-fork-reinit.c         |  1 -
 tests/pkcs11/pkcs11-privkey-fork.c                |  1 -
 tests/pkcs11/pkcs11-privkey-safenet-always-auth.c |  2 --
 tests/pkcs7.c                                     |  2 --
 tests/resume-dtls.c                               |  1 -
 tests/resume.c                                    |  1 -
 tests/sign-verify-data.c                          |  1 -
 tests/sign-verify-ext.c                           |  2 --
 tests/sign-verify-ext4.c                          |  2 --
 tests/sign-verify.c                               |  1 -
 tests/x509-extensions.c                           |  1 -
 tests/x509sign-verify-error.c                     |  1 -
 46 files changed, 10 insertions(+), 92 deletions(-)

diff --git a/lib/auth.c b/lib/auth.c
index 4bdedda38..5f9b8c427 100644
--- a/lib/auth.c
+++ b/lib/auth.c
@@ -349,8 +349,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
 
 			gnutls_free(info->raw_certificate_list);
 			gnutls_free(info->raw_ocsp_list);
-			info->raw_certificate_list = NULL;
-			info->raw_ocsp_list = NULL;
 			info->ncerts = 0;
 			info->nocsp = 0;
 
@@ -367,7 +365,6 @@ void _gnutls_free_auth_info(gnutls_session_t session)
 	}
 
 	gnutls_free(session->key.auth_info);
-	session->key.auth_info = NULL;
 	session->key.auth_info_size = 0;
 	session->key.auth_info_type = 0;
 
diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c
index 6afc91ae6..df6bd7bc6 100644
--- a/lib/auth/rsa.c
+++ b/lib/auth/rsa.c
@@ -196,6 +196,8 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data,
 	ret = gnutls_rnd(GNUTLS_RND_NONCE, rndkey.data,
 			  rndkey.size);
 	if (ret < 0) {
+		gnutls_free(session->key.key.data);
+		session->key.key.size = 0;
 		gnutls_assert();
 		goto cleanup;
 	}
diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
index 5a29f9183..590ff0f71 100644
--- a/lib/auth/rsa_psk.c
+++ b/lib/auth/rsa_psk.c
@@ -341,7 +341,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
 		    ("auth_rsa_psk: Possible PKCS #1 format attack\n");
 		if (ret >= 0) {
 			gnutls_free(plaintext.data);
-			plaintext.data = NULL;
 		}
 		randomize_key = 1;
 	} else {
diff --git a/lib/auth/srp_sb64.c b/lib/auth/srp_sb64.c
index 1177e7671..7bfffdf07 100644
--- a/lib/auth/srp_sb64.c
+++ b/lib/auth/srp_sb64.c
@@ -263,7 +263,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
 		tmp = decode(tmpres, datrev);
 		if (tmp < 0) {
 			gnutls_free((*result));
-			*result = NULL;
 			return tmp;
 		}
 
@@ -277,7 +276,6 @@ _gnutls_sbase64_decode(char *data, size_t idata_size, uint8_t ** result)
 		tmp = decode(tmpres, (uint8_t *) & data[i]);
 		if (tmp < 0) {
 			gnutls_free((*result));
-			*result = NULL;
 			return tmp;
 		}
 		memcpy(&(*result)[j], tmpres, tmp);
diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c
index f342a420b..da9cd647e 100644
--- a/lib/cert-cred-x509.c
+++ b/lib/cert-cred-x509.c
@@ -296,7 +296,6 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res,
 	    gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, GNUTLS_X509_CRT_LIST_SORT);
 	if (ret < 0) {
 		gnutls_free(pcerts);
-		pcerts = NULL;
 		gnutls_assert();
 		goto cleanup;
 	}
@@ -540,7 +539,6 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const
 			goto cleanup;
 		}
 		gnutls_free(t.data);
-		t.data = NULL;
 	}
 
 	ret = certificate_credential_append_crt_list(res, key, names, ccert, count);
@@ -991,7 +989,6 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res,
 			while (i--)
 				gnutls_x509_crt_deinit((*crt_list)[i]);
 			gnutls_free(*crt_list);
-			*crt_list = NULL;
 
 			return gnutls_assert_val(ret);
 		}
diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index 2150e903f..190a8b3a2 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -63,7 +63,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
 
 		for (j = 0; j < sc->certs[i].ocsp_data_length; j++) {
 			gnutls_free(sc->certs[i].ocsp_data[j].response.data);
-			sc->certs[i].ocsp_data[j].response.data = NULL;
 		}
 		_gnutls_str_array_clear(&sc->certs[i].names);
 		gnutls_privkey_deinit(sc->certs[i].pkey);
@@ -71,8 +70,6 @@ void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc)
 
 	gnutls_free(sc->certs);
 	gnutls_free(sc->sorted_cert_idx);
-	sc->certs = NULL;
-	sc->sorted_cert_idx = NULL;
 
 	sc->ncerts = 0;
 }
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index c4907aace..fb2b4db67 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -464,9 +464,8 @@ void _gnutls_hello_ext_deinit(void)
 			continue;
 
 		if (extfunc[i]->free_struct != 0) {
-			gnutls_free((void*)extfunc[i]->name);
-			gnutls_free((void*)extfunc[i]);
-			extfunc[i] = NULL;
+			gnutls_free(((hello_ext_entry_st *)extfunc[i])->name);
+			gnutls_free(extfunc[i]);
 		}
 	}
 }
diff --git a/lib/mpi.c b/lib/mpi.c
index 2bc970d7c..ed208d511 100644
--- a/lib/mpi.c
+++ b/lib/mpi.c
@@ -88,7 +88,6 @@ _gnutls_mpi_random_modp(bigint_t r, bigint_t p,
 
 	if (buf_release != 0) {
 		gnutls_free(buf);
-		buf = NULL;
 	}
 
 	if (r != NULL) {
diff --git a/lib/nettle/mpi.c b/lib/nettle/mpi.c
index 8a93ac278..96bec4aa4 100644
--- a/lib/nettle/mpi.c
+++ b/lib/nettle/mpi.c
@@ -122,7 +122,6 @@ static int wrap_nettle_mpi_init_multi(bigint_t *w, ...)
 fail:
 	mpz_clear(TOMPZ(*w));
 	gnutls_free(*w);
-	*w = NULL;
 
 	va_start(args, w);
 	
@@ -131,7 +130,6 @@ fail:
 		if (next != last_failed) {
 			mpz_clear(TOMPZ(*next));
 			gnutls_free(*next);
-			*next = NULL;
 		}
 	} while(next != last_failed);
 	
diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c
index 6dcd2fdd0..f010493c0 100644
--- a/lib/nettle/pk.c
+++ b/lib/nettle/pk.c
@@ -371,7 +371,6 @@ dh_cleanup:
 
 			if (_gnutls_mem_is_zero(out->data, out->size)) {
 				gnutls_free(out->data);
-				out->data = NULL;
 				gnutls_assert();
 				ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER;
 				goto cleanup;
@@ -2203,8 +2202,6 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo,
 	params->params_nr = 0;
 	gnutls_free(params->raw_priv.data);
 	gnutls_free(params->raw_pub.data);
-	params->raw_priv.data = NULL;
-	params->raw_pub.data = NULL;
 
 	FAIL_IF_LIB_ERROR;
 	return ret;
diff --git a/lib/ocsp-api.c b/lib/ocsp-api.c
index d18a1f0c2..a0005e99d 100644
--- a/lib/ocsp-api.c
+++ b/lib/ocsp-api.c
@@ -473,7 +473,6 @@ gnutls_certificate_set_ocsp_status_request_mem(gnutls_certificate_credentials_t
 			nresp++;
 
 			gnutls_free(der.data);
-			der.data = NULL;
 
 			p.data++;
 			p.size--;
diff --git a/lib/pk.c b/lib/pk.c
index 1f137f71c..a5bb58b73 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -537,8 +537,6 @@ void gnutls_pk_params_release(gnutls_pk_params_st * p)
 	}
 	gnutls_free(p->raw_priv.data);
 	gnutls_free(p->raw_pub.data);
-	p->raw_priv.data = NULL;
-	p->raw_pub.data = NULL;
 
 	p->params_nr = 0;
 }
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 990912790..fa1b65884 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1233,7 +1233,6 @@ int gnutls_pkcs11_obj_init(gnutls_pkcs11_obj_t * obj)
 	(*obj)->info = p11_kit_uri_new();
 	if ((*obj)->info == NULL) {
 		gnutls_free(*obj);
-		*obj = NULL;
 		gnutls_assert();
 		return GNUTLS_E_MEMORY_ERROR;
 	}
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index b721ed125..560a732e3 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -443,7 +443,6 @@ _gnutls_pkcs11_privkey_sign(gnutls_pkcs11_privkey_t key,
 		}
 
 		gnutls_free(tmp.data);
-		tmp.data = NULL;
 	} else {
 		signature->size = siglen;
 		signature->data = tmp.data;
@@ -521,10 +520,8 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
 
 	memset(&pkey->sinfo, 0, sizeof(pkey->sinfo));
 
-	if (pkey->url) {
+	if (pkey->url)
 		gnutls_free(pkey->url);
-		pkey->url = NULL;
-	}
 
 	if (pkey->uinfo) {
 		p11_kit_uri_free(pkey->uinfo);
@@ -613,7 +610,6 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
 		pkey->uinfo = NULL;
 	}
 	gnutls_free(pkey->url);
-	pkey->url = NULL;
 
 	return ret;
 }
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index 35207d554..6e866e2d4 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -268,7 +268,6 @@ static void clean_pubkey(struct ck_attribute *a, unsigned a_val)
 			case CKA_EC_PARAMS:
 			case CKA_EC_POINT:
 				gnutls_free(a[i].value);
-				a[i].value = NULL;
 				break;
 		}
 	}
diff --git a/lib/session_pack.c b/lib/session_pack.c
index c5801fb32..5d475ea59 100644
--- a/lib/session_pack.c
+++ b/lib/session_pack.c
@@ -562,8 +562,6 @@ unpack_certificate_auth_info(gnutls_session_t session,
 
 		gnutls_free(info->raw_certificate_list);
 		gnutls_free(info->raw_ocsp_list);
-		info->raw_certificate_list = NULL;
-		info->raw_ocsp_list = NULL;
 	}
 
 	return ret;
diff --git a/lib/srp.c b/lib/srp.c
index c3eb8e684..670642d64 100644
--- a/lib/srp.c
+++ b/lib/srp.c
@@ -608,7 +608,6 @@ gnutls_srp_set_server_credentials_file(gnutls_srp_server_credentials_t res,
 	if (res->password_conf_file == NULL) {
 		gnutls_assert();
 		gnutls_free(res->password_file);
-		res->password_file = NULL;
 		return GNUTLS_E_MEMORY_ERROR;
 	}
 
diff --git a/lib/str.c b/lib/str.c
index c8d742e91..7408ea6ac 100644
--- a/lib/str.c
+++ b/lib/str.c
@@ -81,7 +81,7 @@ void _gnutls_buffer_clear(gnutls_buffer_st * str)
 		return;
 	gnutls_free(str->allocd);
 
-	str->data = str->allocd = NULL;
+	str->data = NULL;
 	str->max_length = 0;
 	str->length = 0;
 }
diff --git a/lib/tls13/certificate_request.c b/lib/tls13/certificate_request.c
index a7ec0e2fd..823adc87f 100644
--- a/lib/tls13/certificate_request.c
+++ b/lib/tls13/certificate_request.c
@@ -152,7 +152,6 @@ int _gnutls13_recv_certificate_request_int(gnutls_session_t session, gnutls_buff
 			return gnutls_assert_val(ret);
 
 		gnutls_free(session->internals.post_handshake_cr_context.data);
-		session->internals.post_handshake_cr_context.data = NULL;
 		ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
 					context.data, context.size);
 		if (ret < 0)
@@ -279,7 +278,6 @@ int _gnutls13_send_certificate_request(gnutls_session_t session, unsigned again)
 			}
 
 			gnutls_free(session->internals.post_handshake_cr_context.data);
-			session->internals.post_handshake_cr_context.data = NULL;
 			ret = _gnutls_set_datum(&session->internals.post_handshake_cr_context,
 						rnd, sizeof(rnd));
 			if (ret < 0) {
diff --git a/lib/tpm.c b/lib/tpm.c
index ee53c7154..03565acb0 100644
--- a/lib/tpm.c
+++ b/lib/tpm.c
@@ -1645,10 +1645,8 @@ gnutls_tpm_privkey_generate(gnutls_pk_algorithm_t pk, unsigned int bits,
 	gnutls_pubkey_deinit(pub);
       privkey_cleanup:
 	gnutls_free(privkey->data);
-	privkey->data = NULL;
       cleanup:
 	gnutls_free(tmpkey.data);
-	tmpkey.data = NULL;
       err_sa:
 	pTspi_Context_CloseObject(s.tpm_ctx, key_ctx);
       err_cc:
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index db54b3ea2..55cae94c3 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -162,7 +162,6 @@ void gnutls_ocsp_resp_deinit(gnutls_ocsp_resp_t resp)
 		asn1_delete_structure(&resp->basicresp);
 
 	resp->resp = NULL;
-	resp->response_type_oid.data = NULL;
 	resp->basicresp = NULL;
 
 	gnutls_free(resp->der.data);
@@ -299,7 +298,6 @@ gnutls_ocsp_resp_import2(gnutls_ocsp_resp_t resp,
 		}
 
 		gnutls_free(resp->der.data);
-		resp->der.data = NULL;
 	}
 
 	resp->init = 1;
@@ -1668,18 +1666,12 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp,
 
 	return GNUTLS_E_SUCCESS;
  fail:
-	if (issuer_name_hash) {
+	if (issuer_name_hash)
 		gnutls_free(issuer_name_hash->data);
-		issuer_name_hash->data = NULL;
-	}
-	if (issuer_key_hash) {
+	if (issuer_key_hash)
 		gnutls_free(issuer_key_hash->data);
-		issuer_key_hash->data = NULL;
-	}
-	if (serial_number) {
+	if (serial_number)
 		gnutls_free(serial_number->data);
-		serial_number->data = NULL;
-	}
 	return ret;
 }
 
@@ -1955,7 +1947,6 @@ gnutls_ocsp_resp_get_certs(gnutls_ocsp_resp_t resp,
 		}
 
 		gnutls_free(c.data);
-		c.data = NULL;
 	}
 
 	tmpcerts[ctr] = NULL;
diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c
index 26d2142ea..35d12ac4b 100644
--- a/lib/x509/pkcs12_bag.c
+++ b/lib/x509/pkcs12_bag.c
@@ -62,7 +62,6 @@ static inline void _pkcs12_bag_free_data(gnutls_pkcs12_bag_t bag)
 		_gnutls_free_datum(&bag->element[i].data);
 		_gnutls_free_datum(&bag->element[i].local_key_id);
 		gnutls_free(bag->element[i].friendly_name);
-		bag->element[i].friendly_name = NULL;
 		bag->element[i].type = 0;
 	}
 
diff --git a/lib/x509/pkcs7-crypt.c b/lib/x509/pkcs7-crypt.c
index c2b00e61c..39eb7784b 100644
--- a/lib/x509/pkcs7-crypt.c
+++ b/lib/x509/pkcs7-crypt.c
@@ -1269,7 +1269,6 @@ _gnutls_pkcs_raw_decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn,
 	    _gnutls_cipher_init(&ch, ce, &dkey, &d_iv, 0);
 
 	gnutls_free(key);
-	key = NULL;
 
 	if (ret < 0) {
 		gnutls_assert();
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 955cb5ae9..8ae7b3e78 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -692,7 +692,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
 
 		ret = gnutls_pkcs7_add_attr(&info->signed_attrs, oid, &tmp, 0);
 		gnutls_free(tmp.data);
-		tmp.data = NULL;
 
 		if (ret < 0) {
 			gnutls_assert();
@@ -730,7 +729,6 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
 		ret =
 		    gnutls_pkcs7_add_attr(&info->unsigned_attrs, oid, &tmp, 0);
 		gnutls_free(tmp.data);
-		tmp.data = NULL;
 
 		if (ret < 0) {
 			gnutls_assert();
@@ -842,9 +840,7 @@ static int verify_hash_attr(gnutls_pkcs7_t pkcs7, const char *root,
 		}
 
 		gnutls_free(tmp.data);
-		tmp.data = NULL;
 		gnutls_free(tmp2.data);
-		tmp2.data = NULL;
 	}
 
 	if (msg_digest_ok)
@@ -1087,7 +1083,6 @@ static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
 			gnutls_x509_crt_deinit(issuer);
 			issuer = NULL;
 			gnutls_free(tmp.data);
-			tmp.data = NULL;
 			continue;
 		}
 
@@ -1204,7 +1199,6 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
 				gnutls_x509_crt_deinit(crt);
 				crt = NULL;
 				gnutls_free(tmpdata.data);
-				tmpdata.data = NULL;
 				continue;
 			}
 		} else {
diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c
index 92dea06b0..56000ff12 100644
--- a/lib/x509/privkey_pkcs8.c
+++ b/lib/x509/privkey_pkcs8.c
@@ -600,7 +600,6 @@ gnutls_pkcs8_info(const gnutls_datum_t * data, gnutls_x509_crt_fmt_t format,
  cleanup:
 	if (ret != GNUTLS_E_UNKNOWN_CIPHER_TYPE && oid) {
 		gnutls_free(*oid);
-		*oid = NULL;
 	}
 	if (need_free)
 		_gnutls_free_datum(&_data);
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 8ba2f2a3e..b9aed5cf4 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -178,7 +178,6 @@ int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file)
 {
 	if (strcmp(ca_file, list->pkcs11_token) == 0) {
 		gnutls_free(list->pkcs11_token);
-		list->pkcs11_token = NULL;
 	}
 	return 0;
 }
diff --git a/lib/x509/virt-san.c b/lib/x509/virt-san.c
index f3b87135b..a81337e25 100644
--- a/lib/x509/virt-san.c
+++ b/lib/x509/virt-san.c
@@ -70,7 +70,6 @@ int _gnutls_alt_name_assign_virt_type(struct name_st *name, unsigned type, gnutl
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 		gnutls_free(san->data);
-		san->data = NULL;
 
 		if (othername_oid) {
 			name->othername_oid.data = (uint8_t *) othername_oid;
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 4aff55eba..c149881f6 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -383,7 +383,6 @@ static int cache_alt_names(gnutls_x509_crt_t cert)
 	if (ret >= 0) {
 		ret = gnutls_x509_ext_import_subject_alt_names(&tmpder, cert->san, 0);
 		gnutls_free(tmpder.data);
-		tmpder.data = NULL;
 		if (ret < 0)
 			return gnutls_assert_val(ret);
 	}
@@ -3680,7 +3679,6 @@ gnutls_x509_crt_list_import2(gnutls_x509_crt_t ** certs,
 
 	if (ret < 0) {
 		gnutls_free(*certs);
-		*certs = NULL;
 		return ret;
 	}
 
@@ -4310,7 +4308,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
 
 		if (gnutls_x509_crt_equals2(crts[i-1], &issuer)) {
 			gnutls_free(issuer.data);
-			issuer.data = NULL;
 			break;
 		}
 
@@ -4331,7 +4328,6 @@ gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
 		}
 
 		gnutls_free(issuer.data);
-		issuer.data = NULL;
 	}
 
 	*certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t));
diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index 58c3263d1..477cf03c4 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -1994,7 +1994,6 @@ int gnutls_x509_ext_import_policies(const gnutls_datum_t * ext,
 				ret =
 				    decode_user_notice(td.data, td.size, &txt);
 				gnutls_free(td.data);
-				td.data = NULL;
 
 				if (ret < 0) {
 					gnutls_assert();
diff --git a/lib/x509_b64.c b/lib/x509_b64.c
index 9a1037405..3117843be 100644
--- a/lib/x509_b64.c
+++ b/lib/x509_b64.c
@@ -302,7 +302,6 @@ _gnutls_base64_decode(const uint8_t * data, size_t data_size,
 
  fail:
 	gnutls_free(result->data);
-	result->data = NULL;
 
  cleanup:
 	gnutls_free(pdata.data);
diff --git a/tests/cert.c b/tests/cert.c
index da0ab23df..ec566a4a4 100644
--- a/tests/cert.c
+++ b/tests/cert.c
@@ -89,7 +89,6 @@ static int getnextcert(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
 				*exp_ret = atoi((char*)local.data);
 				success("expecting error code %d\n", *exp_ret);
 				gnutls_free(local.data);
-				local.data = NULL;
 			}
 
 			return 0;
@@ -135,7 +134,6 @@ void doit(void)
 
 		gnutls_x509_crt_deinit(cert);
 		gnutls_free(der.data);
-		der.data = NULL;
 		der.size = 0;
 		exp_ret = -1;
 	}
diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c
index 3dd4ff2cb..ed96109c7 100644
--- a/tests/name-constraints-ip.c
+++ b/tests/name-constraints-ip.c
@@ -78,7 +78,6 @@ static void check_test_result(int ret, int expected_outcome,
 static void parse_cidr(const char* cidr, gnutls_datum_t *datum) {
 	if (datum->data != NULL) {
 		gnutls_free(datum->data);
-		datum->data = NULL;
 	}
 	int ret = gnutls_x509_cidr_to_rfc5280(cidr, datum);
 	check_for_error(ret);
@@ -699,7 +698,7 @@ static int teardown(void **state) {
 	gnutls_free(test_vars->ip.data);
 	gnutls_x509_name_constraints_deinit(test_vars->nc);
 	gnutls_x509_name_constraints_deinit(test_vars->nc2);
-	gnutls_free(test_vars);
+	gnutls_free(*state);
 	return 0;
 }
 
diff --git a/tests/pkcs11/pkcs11-import-url-privkey.c b/tests/pkcs11/pkcs11-import-url-privkey.c
index cb44fb1e5..c7e06eb1a 100644
--- a/tests/pkcs11/pkcs11-import-url-privkey.c
+++ b/tests/pkcs11/pkcs11-import-url-privkey.c
@@ -85,7 +85,6 @@ void doit(void)
 	for (i=0;i<obj_list_size;i++)
 		gnutls_pkcs11_obj_deinit(obj_list[i]);
 	gnutls_free(obj_list);
-	obj_list = NULL;
 	obj_list_size = 0;
 
 #ifndef _WIN32
@@ -116,7 +115,6 @@ void doit(void)
 		for (i=0;i<obj_list_size;i++)
 			gnutls_pkcs11_obj_deinit(obj_list[i]);
 		gnutls_free(obj_list);
-		obj_list = NULL;
 		obj_list_size = 0;
 	}
 #endif
diff --git a/tests/pkcs11/pkcs11-privkey-always-auth.c b/tests/pkcs11/pkcs11-privkey-always-auth.c
index 3561c412f..441f63722 100644
--- a/tests/pkcs11/pkcs11-privkey-always-auth.c
+++ b/tests/pkcs11/pkcs11-privkey-always-auth.c
@@ -175,7 +175,6 @@ void doit(void)
 	pin_called = 0;
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	/* call again - should re-authenticate */
 	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
@@ -190,7 +189,6 @@ void doit(void)
 	pin_called = 0;
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	if (debug)
 		printf("done\n\n\n");
diff --git a/tests/pkcs11/pkcs11-privkey-fork-reinit.c b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
index 1535d644f..a72584225 100644
--- a/tests/pkcs11/pkcs11-privkey-fork-reinit.c
+++ b/tests/pkcs11/pkcs11-privkey-fork-reinit.c
@@ -123,7 +123,6 @@ void doit(void)
 	}
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	pid = fork();
 	if (pid != 0) {
diff --git a/tests/pkcs11/pkcs11-privkey-fork.c b/tests/pkcs11/pkcs11-privkey-fork.c
index 9d301d7d6..b99755c73 100644
--- a/tests/pkcs11/pkcs11-privkey-fork.c
+++ b/tests/pkcs11/pkcs11-privkey-fork.c
@@ -123,7 +123,6 @@ void doit(void)
 	}
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	pid = fork();
 	if (pid != 0) {
diff --git a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
index 1b5b34054..a4ab5b5aa 100644
--- a/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
+++ b/tests/pkcs11/pkcs11-privkey-safenet-always-auth.c
@@ -157,7 +157,6 @@ void doit(void)
 	pin_called = 0;
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	/* call again - should re-authenticate */
 	ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
@@ -172,7 +171,6 @@ void doit(void)
 	pin_called = 0;
 
 	gnutls_free(sig.data);
-	sig.data = NULL;
 
 	if (debug)
 		printf("done\n\n\n");
diff --git a/tests/pkcs7.c b/tests/pkcs7.c
index a490976fc..2d5a5548d 100644
--- a/tests/pkcs7.c
+++ b/tests/pkcs7.c
@@ -90,7 +90,6 @@ static int getnextfile(DIR **dirp, gnutls_datum_t *der, int *exp_ret)
 				*exp_ret = atoi((char*)local.data);
 				success("expecting error code %d\n", *exp_ret);
 				gnutls_free(local.data);
-				local.data = NULL;
 			}
 
 			return 0;
@@ -134,7 +133,6 @@ void doit(void)
 
 		gnutls_pkcs7_deinit(cert);
 		gnutls_free(der.data);
-		der.data = NULL;
 		der.size = 0;
 		exp_ret = -1;
 	}
diff --git a/tests/resume-dtls.c b/tests/resume-dtls.c
index 9e6327c7f..b5b214313 100644
--- a/tests/resume-dtls.c
+++ b/tests/resume-dtls.c
@@ -363,7 +363,6 @@ static void server(int sds[], struct params_res *params)
 	}
 
 	gnutls_free(session_ticket_key.data);
-	session_ticket_key.data = NULL;
 	gnutls_anon_free_server_credentials(anoncred);
 
 	if (debug)
diff --git a/tests/resume.c b/tests/resume.c
index 84314b836..3dc225136 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -873,7 +873,6 @@ static void server(int sds[], struct params_res *params)
 	}
 
 	gnutls_free(session_ticket_key.data);
-	session_ticket_key.data = NULL;
 
 	if (debug)
 		success("server: finished\n");
diff --git a/tests/sign-verify-data.c b/tests/sign-verify-data.c
index 3aa261175..558ad2253 100644
--- a/tests/sign-verify-data.c
+++ b/tests/sign-verify-data.c
@@ -153,7 +153,6 @@ void doit(void)
 
 		/* test the raw interface */
 		gnutls_free(signature.data);
-		signature.data = NULL;
 
 		gnutls_free(signature.data);
 		gnutls_x509_crt_deinit(crt);
diff --git a/tests/sign-verify-ext.c b/tests/sign-verify-ext.c
index eecb1f357..cc80bf907 100644
--- a/tests/sign-verify-ext.c
+++ b/tests/sign-verify-ext.c
@@ -186,9 +186,7 @@ void doit(void)
 
 		/* test the raw interface */
 		gnutls_free(signature.data);
-		signature.data = NULL;
 		gnutls_free(signature2.data);
-		signature2.data = NULL;
 
 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
 		    GNUTLS_PK_RSA) {
diff --git a/tests/sign-verify-ext4.c b/tests/sign-verify-ext4.c
index 81aa345bf..be582ec14 100644
--- a/tests/sign-verify-ext4.c
+++ b/tests/sign-verify-ext4.c
@@ -227,7 +227,6 @@ void doit(void)
 			testfail("gnutls_pubkey_verify_data2\n");
 
 		gnutls_free(signature.data);
-		signature.data = NULL;
 
 
 		if (!tests[i].data_only) {
@@ -243,7 +242,6 @@ void doit(void)
 				testfail("gnutls_pubkey_verify_hash2-1 (hashed data)\n");
 
 			gnutls_free(signature2.data);
-			signature2.data = NULL;
 		}
 
 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
diff --git a/tests/sign-verify.c b/tests/sign-verify.c
index 1fbed5ece..5a14741fc 100644
--- a/tests/sign-verify.c
+++ b/tests/sign-verify.c
@@ -206,7 +206,6 @@ void doit(void)
 
 		/* test the raw interface */
 		gnutls_free(signature.data);
-		signature.data = NULL;
 
 		if (gnutls_pubkey_get_pk_algorithm(pubkey, NULL) ==
 		    GNUTLS_PK_RSA) {
diff --git a/tests/x509-extensions.c b/tests/x509-extensions.c
index d480f8364..a062c1ba8 100644
--- a/tests/x509-extensions.c
+++ b/tests/x509-extensions.c
@@ -767,7 +767,6 @@ void doit(void)
 			}
 		}
 		gnutls_free(ext.data);
-		ext.data = NULL;
 	}
 
 	if (debug)
diff --git a/tests/x509sign-verify-error.c b/tests/x509sign-verify-error.c
index 54bdc40ab..97c966685 100644
--- a/tests/x509sign-verify-error.c
+++ b/tests/x509sign-verify-error.c
@@ -181,7 +181,6 @@ void doit(void)
 			fail("gnutls_privkey_sign_hash\n");
 
 		gnutls_free(signature2.data);
-		signature2.data = NULL;
 
 		_gnutls_lib_simulate_error();
 		ret = gnutls_privkey_sign_hash(privkey, GNUTLS_DIG_SHA1, 0,
-- 
2.22.0.vfs.1.1.57.gbaf16c8