Possible minor memory leak in SNI code. r=alexei, bob. Patch is provided by Meena Vyas.

2 files changed, 10 insertions, 4 deletions

diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c
index a0be8db9f..02ebc49f5 100644
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -1266,14 +1266,17 @@ no_ticket:
 			SSL_GETPID(), ss->fd));
 	ssl3stats = SSL_GetStatistics();
 	SSL_AtomicIncrementLong(& ssl3stats->hch_sid_ticket_parse_failures );
-	if (sid) {
-	    ssl_FreeSID(sid);
-	    sid = NULL;
-	}
     }
     rv = SECSuccess;
 
 loser:
+	/* ss->sec.ci.sid == sid if it did NOT come here via goto statement
+	 * in that case do not free sid
+	 */
+	if (sid && (ss->sec.ci.sid != sid)) {
+	    ssl_FreeSID(sid);
+	    sid = NULL;
+	}
     if (decrypted_state != NULL) {
 	SECITEM_FreeItem(decrypted_state, PR_TRUE);
 	decrypted_state = NULL;
diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
index 8c097f8d4..6a8fc4757 100644
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -222,6 +222,9 @@ ssl_DestroySID(sslSessionID *sid)
     if (sid->u.ssl3.sessionTicket.ticket.data) {
 	SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
     }
+    if (sid->u.ssl3.srvName.data) {
+	SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
+    }
     
     PORT_ZFree(sid, sizeof(sslSessionID));
 }