From 5aff029f9d2b8db78da64655c6808a1dfac6f64f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg2@elzevir.fr>
Date: Mon, 28 Sep 2015 18:09:45 +0200
Subject: [PATCH] Fix potential double-free in ssl_set_psk()

---
 ChangeLog         | 3 +++
 library/ssl_tls.c | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 89caddbc4..14ae034f2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,9 @@ Security
      on crafted PEM input data. Found an fix provided by Guid Vranken.
      Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
      data from an untrusted source.
+   * Fix potential double-free if ssl_set_psk() is called repeatedly on
+     the same ssl_context object and some memory allocations fail.
+     Found by Guido Vranken. Can not be forced remotely.
 
 = mbed TLS 1.3.13 reladsed 2015-09-17
 
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 96e867b69..f16bb5310 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4064,7 +4064,9 @@ int ssl_set_psk( ssl_context *ssl, const unsigned char *psk, size_t psk_len,
         ( ssl->psk_identity = polarssl_malloc( psk_identity_len ) ) == NULL )
     {
         polarssl_free( ssl->psk );
+        polarssl_free( ssl->psk_identity );
         ssl->psk = NULL;
+        ssl->psk_identity = NULL;
         return( POLARSSL_ERR_SSL_MALLOC_FAILED );
     }