From 4bf086005fe5ebcda5dc4d48ff701b41ab9b07f0 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 6 Dec 2016 10:49:01 +0000
Subject: [PATCH] Fix a leak in SSL_clear()

SSL_clear() was resetting numwpipes to 0, but not freeing any allocated
memory for existing write buffers.

Fixes #2026

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 ssl/record/rec_layer_s3.c |  6 +-----
 ssl/record/ssl3_buffer.c  | 12 ++++++++----
 test/sslapitest.c         | 10 +++++++++-
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 62bc3b08e4..93b7d05b8d 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -39,8 +39,6 @@ void RECORD_LAYER_init(RECORD_LAYER *rl, SSL *s)
 
 void RECORD_LAYER_clear(RECORD_LAYER *rl)
 {
-    unsigned int pipes;
-
     rl->rstate = SSL_ST_READ_HEADER;
 
     /*
@@ -62,9 +60,7 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
     rl->wpend_buf = NULL;
 
     SSL3_BUFFER_clear(&rl->rbuf);
-    for (pipes = 0; pipes < rl->numwpipes; pipes++)
-        SSL3_BUFFER_clear(&rl->wbuf[pipes]);
-    rl->numwpipes = 0;
+    ssl3_release_write_buffer(rl->s);
     rl->numrpipes = 0;
     SSL3_RECORD_clear(rl->rrec, SSL_MAX_PIPELINES);
 
diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c
index df1f90092c..8a6a922261 100644
--- a/ssl/record/ssl3_buffer.c
+++ b/ssl/record/ssl3_buffer.c
@@ -105,13 +105,17 @@ int ssl3_setup_write_buffer(SSL *s, size_t numwpipes, size_t len)
 
     wb = RECORD_LAYER_get_wbuf(&s->rlayer);
     for (currpipe = 0; currpipe < numwpipes; currpipe++) {
-        if (wb[currpipe].buf == NULL) {
-            if ((p = OPENSSL_malloc(len)) == NULL) {
+        SSL3_BUFFER *thiswb = &wb[currpipe];
+
+        if (thiswb->buf == NULL) {
+            p = OPENSSL_malloc(len);
+            if (p == NULL) {
                 s->rlayer.numwpipes = currpipe;
                 goto err;
             }
-            wb[currpipe].buf = p;
-            wb[currpipe].len = len;
+            memset(thiswb, 0, sizeof(SSL3_BUFFER));
+            thiswb->buf = p;
+            thiswb->len = len;
         }
     }
 
diff --git a/test/sslapitest.c b/test/sslapitest.c
index add38cf622..e370807bbc 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -100,8 +100,16 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
         goto end;
     }
 
-    testresult = 1;
+    /*
+     * Calling SSL_clear() first is not required but this tests that SSL_clear()
+     * doesn't leak (when using enable-crypto-mdebug).
+     */
+    if (!SSL_clear(serverssl)) {
+        printf("Unexpected failure from SSL_clear()\n");
+        goto end;
+    }
 
+    testresult = 1;
  end:
     X509_free(chaincert);
     SSL_free(serverssl);
-- 
2.25.1