From 5ef5c279b5226487f1f8f499f882d91fb07ce19f Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Thu, 24 Sep 2020 15:53:12 -0700
Subject: [PATCH] Fix for previous max fragment commit to correctly process a
 TLS packet with multiple handshake messages. Fix to free the wolfSSL objects
 first then wolfSSL_CTX.

---
 src/sniffer.c | 35 ++++++++++++++++++++++-------------
 1 file changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/sniffer.c b/src/sniffer.c
index 8f591fffa..dfaec0538 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -677,14 +677,7 @@ void ssl_FreeSniffer(void)
     wc_LockMutex(&ServerListMutex);
     wc_LockMutex(&SessionMutex);
 
-    srv = ServerList;
-    while (srv) {
-        removeServer = srv;
-        srv = srv->next;
-        FreeSnifferServer(removeServer);
-    }
-    ServerList = NULL;
-
+    /* Free sessions (wolfSSL objects) first */
     for (i = 0; i < HASH_SIZE; i++) {
         session = SessionTable[i];
         while (session) {
@@ -695,6 +688,15 @@ void ssl_FreeSniffer(void)
     }
     SessionCount = 0;
 
+    /* Then server (wolfSSL_CTX) */
+    srv = ServerList;
+    while (srv) {
+        removeServer = srv;
+        srv = srv->next;
+        FreeSnifferServer(removeServer);
+    }
+    ServerList = NULL;    
+
     wc_UnLockMutex(&SessionMutex);
     wc_UnLockMutex(&ServerListMutex);
 
@@ -3465,6 +3467,7 @@ static int DoHandShake(const byte* input, int* sslBytes,
     int  size;
     int  ret = 0;
     WOLFSSL* ssl;
+    int startBytes;
 
     (void)rhSize;
 
@@ -3494,6 +3497,7 @@ static int DoHandShake(const byte* input, int* sslBytes,
 
     input     += HANDSHAKE_HEADER_SZ;
     *sslBytes -= HANDSHAKE_HEADER_SZ;
+    startBytes = *sslBytes;
 
     if (*sslBytes < size) {
         Trace(SPLIT_HANDSHAKE_MSG_STR);
@@ -3666,6 +3670,8 @@ exit:
     }
 #endif
 
+    *sslBytes = startBytes - size;  /* actual bytes of full process */
+
     return ret;
 }
 
@@ -4933,18 +4939,21 @@ doPart:
     switch ((enum ContentType)rh.type) {
         case handshake:
             {
-                int inOutIdx = sslBytes;
+                int startIdx = sslBytes;
+                int used;
+
                 Trace(GOT_HANDSHAKE_STR);
-                ret = DoHandShake(sslFrame, &inOutIdx, session, error, rhSize);
-                if (ret != 0) {
+                ret = DoHandShake(sslFrame, &sslBytes, session, error, rhSize);
+                if (ret != 0 || sslBytes > startIdx) {
                     if (session->flags.fatalError == 0)
                         SetError(BAD_HANDSHAKE_STR, error, session,
                                  FATAL_ERROR_STATE);
                     return -1;
                 }
 
-                sslFrame += rhSize;
-                sslBytes -= rhSize;
+                /* DoHandShake now fully decrements sslBytes to remaining */
+                used = startIdx - sslBytes;
+                sslFrame += used;
                 if (decrypted)
                     sslFrame += ssl->keys.padSz;
             }