Merge pull request #864 from davidhorstmann-arm/2.16-fix-session-copy-bug
Backport 2.16: [session] fix a session copy bug
diff --git a/ChangeLog.d/fix-session-copy-bug.txt b/ChangeLog.d/fix-session-copy-bug.txt
new file mode 100644
index 0000000..46e3d8e
--- /dev/null
+++ b/ChangeLog.d/fix-session-copy-bug.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * Fix a double-free that happened after mbedtls_ssl_set_session() or
+ mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
+ (out of memory). After that, calling mbedtls_ssl_session_free()
+ and mbedtls_ssl_free() would cause an internal session buffer to
+ be free()'d twice.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3c1e917..962d625 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -301,6 +301,10 @@
mbedtls_ssl_session_free( dst );
memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
+ dst->ticket = NULL;
+#endif
+
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( src->peer_cert != NULL )
{