From 17207ff61be7842d74e6e311d55a9913f6eff87f Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Tue, 19 Jul 2016 10:32:25 -0600
Subject: [PATCH 1/3] account for when FreeHandshakeResources is not called

---
 src/internal.c             | 9 +++++++++
 wolfssl/wolfcrypt/memory.h | 1 +
 2 files changed, 10 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 265617379..3bf2107a6 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -3311,6 +3311,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         }
         ctx_hint->memory->curHa++;
         ctx_hint->memory->curIO++;
+        ssl_hint->haFlag = 1;
         UnLockMutex(&(ctx_hint->memory->memory_mutex));
     #ifdef WOLFSSL_HEAP_TEST
         }
@@ -3684,6 +3685,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
         WOLFSSL_HEAP*      ctx_heap;
 
         ctx_heap = ssl_hint->memory;
+        if (LockMutex(&(ctx_heap->memory_mutex)) != 0) {
+            WOLFSSL_MSG("Bad memory_mutex lock");
+        }
         ctx_heap->curIO--;
         if (FreeFixedIO(ctx_heap, &(ssl_hint->outBuf)) != 1) {
             WOLFSSL_MSG("Error freeing fixed output buffer");
@@ -3691,6 +3695,10 @@ void SSL_ResourceFree(WOLFSSL* ssl)
         if (FreeFixedIO(ctx_heap, &(ssl_hint->inBuf)) != 1) {
             WOLFSSL_MSG("Error freeing fixed output buffer");
         }
+        if (ssl_hint->haFlag) { /* check if handshake count has been decreased*/
+            ctx_heap->curHa--;
+        }
+        UnLockMutex(&(ctx_heap->memory_mutex));
 
         /* check if tracking stats */
         if (ctx_heap->flag & WOLFMEM_TRACK_STATS) {
@@ -3864,6 +3872,7 @@ void FreeHandshakeResources(WOLFSSL* ssl)
             WOLFSSL_MSG("Bad memory_mutex lock");
         }
         ctx_heap->curHa--;
+        ssl_hint->haFlag = 0; /* set to zero since handshake has been dec */
         UnLockMutex(&(ctx_heap->memory_mutex));
     #ifdef WOLFSSL_HEAP_TEST
     }
diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h
index b243fed51..274787939 100644
--- a/wolfssl/wolfcrypt/memory.h
+++ b/wolfssl/wolfcrypt/memory.h
@@ -137,6 +137,7 @@ WOLFSSL_API int wolfSSL_SetAllocators(wolfSSL_Malloc_cb  malloc_function,
         WOLFSSL_MEM_CONN_STATS* stats;  /* hold individual connection stats */
         wc_Memory*  outBuf; /* set if using fixed io buffers */
         wc_Memory*  inBuf;
+        byte        haFlag; /* flag used for checking handshake count */
     } WOLFSSL_HEAP_HINT;
 
 

From 01ecc64052f54bb74268fbe2723e6f1ec4235073 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Tue, 19 Jul 2016 10:48:49 -0600
Subject: [PATCH 2/3] avoid race condition with IO and handshake counter

---
 src/internal.c | 61 +++++++++++++++++++++++++-------------------------
 1 file changed, 30 insertions(+), 31 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 3bf2107a6..63a5aa074 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -3242,27 +3242,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         }
         else {
     #endif
-        ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap));
-        /* lock and check IO count / handshake count */
-        if (LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
-            WOLFSSL_MSG("Bad memory_mutex lock");
-            return BAD_MUTEX_E;
-        }
-        if (ctx_hint->memory->maxHa > 0 &&
-                           ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) {
-            WOLFSSL_MSG("At max number of handshakes for static memory");
-            UnLockMutex(&(ctx_hint->memory->memory_mutex));
-            return MEMORY_E;
-        }
-
-        if (ctx_hint->memory->maxIO > 0 &&
-                           ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) {
-            WOLFSSL_MSG("At max number of IO allowed for static memory");
-            UnLockMutex(&(ctx_hint->memory->memory_mutex));
-            return MEMORY_E;
-        }
-        UnLockMutex(&(ctx_hint->memory->memory_mutex));
-
         ssl->heap = (WOLFSSL_HEAP_HINT*)XMALLOC(sizeof(WOLFSSL_HEAP_HINT),
                                                ctx->heap, DYNAMIC_TYPE_SSL);
         if (ssl->heap == NULL) {
@@ -3270,7 +3249,37 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         }
         XMEMSET(ssl->heap, 0, sizeof(WOLFSSL_HEAP_HINT));
         ssl_hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap));
+        ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap));
+
+        /* lock and check IO count / handshake count */
+        if (LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
+            WOLFSSL_MSG("Bad memory_mutex lock");
+            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
+            ssl->heap = NULL; /* free and set to NULL for IO counter */
+            return BAD_MUTEX_E;
+        }
+        if (ctx_hint->memory->maxHa > 0 &&
+                           ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) {
+            WOLFSSL_MSG("At max number of handshakes for static memory");
+            UnLockMutex(&(ctx_hint->memory->memory_mutex));
+            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
+            ssl->heap = NULL; /* free and set to NULL for IO counter */
+            return MEMORY_E;
+        }
+
+        if (ctx_hint->memory->maxIO > 0 &&
+                           ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) {
+            WOLFSSL_MSG("At max number of IO allowed for static memory");
+            UnLockMutex(&(ctx_hint->memory->memory_mutex));
+            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
+            ssl->heap = NULL; /* free and set to NULL for IO counter */
+            return MEMORY_E;
+        }
+        ctx_hint->memory->curIO++;
+        ctx_hint->memory->curHa++;
         ssl_hint->memory = ctx_hint->memory;
+        ssl_hint->haFlag = 1;
+        UnLockMutex(&(ctx_hint->memory->memory_mutex));
 
         /* check if tracking stats */
         if (ctx_hint->memory->flag & WOLFMEM_TRACK_STATS) {
@@ -3303,16 +3312,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
             }
             UnLockMutex(&(ctx_hint->memory->memory_mutex));
         }
-
-        /* increment counters at end of setting up memory */
-        if (LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
-            WOLFSSL_MSG("Bad memory_mutex lock");
-            return BAD_MUTEX_E;
-        }
-        ctx_hint->memory->curHa++;
-        ctx_hint->memory->curIO++;
-        ssl_hint->haFlag = 1;
-        UnLockMutex(&(ctx_hint->memory->memory_mutex));
     #ifdef WOLFSSL_HEAP_TEST
         }
     #endif

From 1f5b6d4e66862ccf0d6475102e73be3384d7d07f Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Tue, 19 Jul 2016 15:57:09 -0600
Subject: [PATCH 3/3] sanity check on buffer size

---
 src/ssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ssl.c b/src/ssl.c
index 3e54b519f..7094e8391 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -682,6 +682,9 @@ int wolfSSL_CTX_load_static_memory(WOLFSSL_CTX** ctx, wolfSSL_method_func method
     }
 
     if (*ctx == NULL) {
+        if (sizeof(WOLFSSL_HEAP) + sizeof(WOLFSSL_HEAP_HINT) > sz - idx) {
+            return BUFFER_E; /* not enough memory for structures */
+        }
         heap = (WOLFSSL_HEAP*)buf;
         idx += sizeof(WOLFSSL_HEAP);
         if (wolfSSL_init_memory_heap(heap) != SSL_SUCCESS) {
@@ -693,6 +696,9 @@ int wolfSSL_CTX_load_static_memory(WOLFSSL_CTX** ctx, wolfSSL_method_func method
         hint->memory = heap;
     }
     else if ((*ctx)->heap == NULL) {
+        if (sizeof(WOLFSSL_HEAP) + sizeof(WOLFSSL_HEAP_HINT) > sz - idx) {
+            return BUFFER_E; /* not enough memory for structures */
+        }
         heap = (WOLFSSL_HEAP*)buf;
         idx += sizeof(WOLFSSL_HEAP);
         if (wolfSSL_init_memory_heap(heap) != SSL_SUCCESS) {