From 549e06db0456119b5c5081a61e1f917d10a0c522 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Thu, 3 Feb 2022 05:52:49 -0500
Subject: [PATCH] Fix double free after successful resumption

---
 src/lib/tls/cache.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/lib/tls/cache.c b/src/lib/tls/cache.c
index e8f1d8a447..a1266e02cd 100644
--- a/src/lib/tls/cache.c
+++ b/src/lib/tls/cache.c
@@ -731,6 +731,8 @@ again:
 
 	case FR_TLS_CACHE_LOAD_RETRIEVED:
 	{
+		SSL_SESSION	*sess;
+
 		TALLOC_FREE(tls_cache->load.id);
 
 		RDEBUG3("Setting session data");
@@ -790,10 +792,19 @@ again:
 			RDEBUG2("Certificate re-validation failed, denying session resumption via session-id");
 			goto verify_error;
 		}
+		sess = tls_cache->load.sess;
 
+		/*
+		 *	After we return it's OpenSSL's responsibility
+		 *	to free the session data, so set our copy of
+		 *	the pointer to NULL, to prevent a double free
+		 *	on cleanup.
+		 */
 		*copy = 0;
+		tls_cache->load.sess = NULL;
+		return sess;
 	}
-		return tls_cache->load.sess;
+
 
 	case FR_TLS_CACHE_LOAD_FAILED:
 		RDEBUG3("Session data load failed");
-- 
2.47.3