From 1a8b549098d963911ee2a406a646127e8094b83b Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Wed, 5 Nov 2014 00:51:38 -0500
Subject: [PATCH] Fix memory leak in calling SSL_clear.

State hanging off the SSL gets freed in two places.

Change-Id: I41a8d2a7cab35f0098396006e1f6380038ec471a
Reviewed-on: https://boringssl-review.googlesource.com/2212
Reviewed-by: Adam Langley <agl@google.com>
---
 ssl/s3_lib.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 30606847..e4ded324 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1047,12 +1047,23 @@ void ssl3_clear(SSL *s)
 	size_t rlen, wlen;
 	int init_extra;
 
+	/* TODO(davidben): Can this just call ssl3_free +
+	 * ssl3_new. rbuf, wbuf, and init_extra are preserved, but
+	 * this may not serve anything more than saving a malloc. */
+
 	ssl3_cleanup_key_block(s);
 	if (s->s3->tmp.ca_names != NULL)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
+	s->s3->tmp.ca_names = NULL;
 	if (s->s3->tmp.certificate_types != NULL)
 		OPENSSL_free(s->s3->tmp.certificate_types);
-	s->s3->tmp.num_certificate_types = 0;
+	s->s3->tmp.certificate_types = NULL;
+	if (s->s3->tmp.peer_ecpointformatlist)
+		OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+	s->s3->tmp.peer_ecpointformatlist = NULL;
+	if (s->s3->tmp.peer_ellipticcurvelist)
+		OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+	s->s3->tmp.peer_ellipticcurvelist = NULL;
 
 	if (s->s3->tmp.dh != NULL)
 		{