commit ba9c727e94a6d26fd9c93c10759872310bd5e6f1
author Jerry Yu <jerry.h.yu@arm.com> Sat Oct 30 11:54:10 2021 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Sat Oct 30 20:23:45 2021 +0800
tree 443e83a0520360119673a7a12ebd1a35a4e9cd83
parent 47413c2c8f5ad766874e279445a1e567ed9935e3

fix memory leak issue

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c507950..1929d8b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5477,8 +5477,15 @@
     psa_destroy_key( handshake->ecdh_psa_privkey );
 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
 
-    mbedtls_platform_zeroize( handshake,
-                              sizeof( mbedtls_ssl_handshake_params ) );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+    mbedtls_ssl_transform_free(handshake->transform_handshake);
+    mbedtls_ssl_transform_free(handshake->transform_earlydata);
+    mbedtls_free( handshake->transform_earlydata );
+    mbedtls_free( handshake->transform_handshake );
+    handshake->transform_earlydata = NULL;
+    handshake->transform_handshake = NULL;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
 
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
     /* If the buffers are too big - reallocate. Because of the way Mbed TLS
@@ -5489,12 +5496,9 @@
                                     mbedtls_ssl_get_output_buflen( ssl ) );
 #endif
 
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
-    mbedtls_free( handshake->transform_earlydata );
-    mbedtls_free( handshake->transform_handshake );
-    handshake->transform_earlydata = NULL;
-    handshake->transform_handshake = NULL;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+    /* mbedtls_platform_zeroize MUST be last one in this function */
+    mbedtls_platform_zeroize( handshake,
+                              sizeof( mbedtls_ssl_handshake_params ) );
 }
 
 void mbedtls_ssl_session_free( mbedtls_ssl_session *session )