commit 1a8b549098d963911ee2a406a646127e8094b83b
author David Benjamin <davidben@chromium.org> Wed Nov 05 00:51:38 2014 -0500
committer Adam Langley <agl@google.com> Thu Nov 06 02:03:05 2014 +0000
tree 71b9d08131ba65c1fe22fb872394accdecbc33f8
parent 9da9035b50e8eb149a9cb25cc6bf6a1690d61e07

Fix memory leak in calling SSL_clear.

State hanging off the SSL gets freed in two places.

Change-Id: I41a8d2a7cab35f0098396006e1f6380038ec471a
Reviewed-on: https://boringssl-review.googlesource.com/2212
Reviewed-by: Adam Langley <agl@google.com>

ssl/s3_lib.c

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3060684..e4ded32 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1047,12 +1047,23 @@
 	size_t rlen, wlen;
 	int init_extra;
 
+	/* TODO(davidben): Can this just call ssl3_free +
+	 * ssl3_new. rbuf, wbuf, and init_extra are preserved, but
+	 * this may not serve anything more than saving a malloc. */
+
 	ssl3_cleanup_key_block(s);
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+	s->s3->tmp.ca_names = NULL;
 	if (s->s3->tmp.certificate_types != NULL)
 		OPENSSL_free(s->s3->tmp.certificate_types);
-	s->s3->tmp.num_certificate_types = 0;
+	s->s3->tmp.certificate_types = NULL;
+	if (s->s3->tmp.peer_ecpointformatlist)
+		OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+	s->s3->tmp.peer_ecpointformatlist = NULL;
+	if (s->s3->tmp.peer_ellipticcurvelist)
+		OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+	s->s3->tmp.peer_ellipticcurvelist = NULL;
 
 	if (s->s3->tmp.dh != NULL)
 		{