From c2eddee4569087260e1e579a32c3882d1f54e16c Mon Sep 17 00:00:00 2001
From: k-stachowiak <krzysiek.stachowiak@gmail.com>
Date: Mon, 9 Jul 2018 10:39:20 +0200
Subject: [PATCH 1/3] Fix memory leak in ssl_setup

---
 library/ssl_tls.c | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 153d745ce..6eff80d7c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5683,7 +5683,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
                        const mbedtls_ssl_config *conf )
 {
-    int ret;
+    int err;
     const size_t len = MBEDTLS_SSL_BUFFER_LEN;
 
     ssl->conf = conf;
@@ -5691,13 +5691,14 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
     /*
      * Prepare base structures
      */
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
     if( ( ssl-> in_buf = mbedtls_calloc( 1, len ) ) == NULL ||
         ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
-        mbedtls_free( ssl->in_buf );
-        ssl->in_buf = NULL;
-        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+        err = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        goto error;
     }
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -5731,10 +5732,33 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
         ssl->in_msg = ssl->in_buf + 13;
     }
 
-    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
-        return( ret );
+    if( ( err = ssl_handshake_init( ssl ) ) != 0 )
+        goto error;
 
     return( 0 );
+
+error:
+    mbedtls_free( ssl->in_buf );
+    mbedtls_free( ssl->out_buf );
+
+    ssl->conf = NULL;
+
+    ssl->in_buf = NULL;
+    ssl->out_buf = NULL;
+
+    ssl->in_hdr = NULL;
+    ssl->in_ctr = NULL;
+    ssl->in_len = NULL;
+    ssl->in_iv = NULL;
+    ssl->in_msg = NULL;
+
+    ssl->out_hdr = NULL;
+    ssl->out_ctr = NULL;
+    ssl->out_len = NULL;
+    ssl->out_iv = NULL;
+    ssl->out_msg = NULL;
+
+    return( err );
 }
 
 /*

From 6cba569e3f9a08efe6d8a92e288a5b5bbff0364a Mon Sep 17 00:00:00 2001
From: k-stachowiak <krzysiek.stachowiak@gmail.com>
Date: Mon, 9 Jul 2018 14:45:00 +0200
Subject: [PATCH 2/3] Update change log

---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 49400160b..6c2cd9b29 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,11 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS x.x.x branch released xxxx-xx-xx
 
+Security
+   * Fix a potential memory leak in mbedtls_ssl_setup( ) function. An allocation
+     failure could leave an unreleased buffer. A handshake init failure would
+     lead to leaving two unreleased buffers.
+
 Bugfix
    * Change the shebang line in Perl scripts to look up perl in the PATH.
      Contributed by fbrosson in #1533.

From 2c161144e2fd956e8cfd411775add58878f15c58 Mon Sep 17 00:00:00 2001
From: k-stachowiak <krzysiek.stachowiak@gmail.com>
Date: Tue, 31 Jul 2018 16:52:32 +0200
Subject: [PATCH 3/3] Revert change of a return variable name

---
 library/ssl_tls.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6eff80d7c..848e8bcbd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5683,7 +5683,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
                        const mbedtls_ssl_config *conf )
 {
-    int err;
+    int ret;
     const size_t len = MBEDTLS_SSL_BUFFER_LEN;
 
     ssl->conf = conf;
@@ -5697,7 +5697,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
         ( ssl->out_buf = mbedtls_calloc( 1, len ) ) == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len ) );
-        err = MBEDTLS_ERR_SSL_ALLOC_FAILED;
+        ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
         goto error;
     }
 
@@ -5732,7 +5732,7 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
         ssl->in_msg = ssl->in_buf + 13;
     }
 
-    if( ( err = ssl_handshake_init( ssl ) ) != 0 )
+    if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
         goto error;
 
     return( 0 );
@@ -5758,7 +5758,7 @@ error:
     ssl->out_iv = NULL;
     ssl->out_msg = NULL;
 
-    return( err );
+    return( ret );
 }
 
 /*