Commit 0299b262 authored by Daniel Gustafsson's avatar Daniel Gustafsson
Browse files

mbedtls: release sessionid resources on error 



If mbedtls_ssl_get_session() fails, it may still have allocated
memory that needs to be freed to avoid leaking. Call the library
API function to release session resources on this errorpath as
well as on Curl_ssl_addsessionid() errors.

Closes: #3574
Reported-by: default avatarMichał Antoniak <M.Antoniak@posnet.com>
Reviewed-by: default avatarDaniel Stenberg <daniel@haxx.se>
parent 188036ca

lib/vtls/mbedtls.c

+3 −0
Original line number Diff line number Diff line
@@ -716,6 +716,8 @@ mbed_connect_step3(struct connectdata *conn, 


    ret = mbedtls_ssl_get_session(&BACKEND->ssl, our_ssl_sessionid);

    if(ret) {

      if(ret != MBEDTLS_ERR_SSL_ALLOC_FAILED)

        mbedtls_ssl_session_free(our_ssl_sessionid);

      free(our_ssl_sessionid);

      failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);

      return CURLE_SSL_CONNECT_ERROR;
@@ -729,6 +731,7 @@ mbed_connect_step3(struct connectdata *conn, 
    retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);

    Curl_ssl_sessionid_unlock(conn);

    if(retcode) {

      mbedtls_ssl_session_free(our_ssl_sessionid);

      free(our_ssl_sessionid);

      failf(data, "failed to store ssl session");

      return retcode;