diff --git a/gtests/ssl_gtest/ssl_custext_unittest.cc b/gtests/ssl_gtest/ssl_custext_unittest.cc index f1ead3e9a4..4a7769cea3 100644 --- a/gtests/ssl_gtest/ssl_custext_unittest.cc +++ b/gtests/ssl_gtest/ssl_custext_unittest.cc @@ -77,7 +77,7 @@ void InstallManyWriters(std::shared_ptr agent, SSLExtensionWriter writer, size_t *installed = nullptr, size_t *called = nullptr) { for (size_t i = 0; i < PR_ARRAY_SIZE(kManyExtensions); ++i) { - SSLExtensionSupport support; + SSLExtensionSupport support = ssl_ext_none; SECStatus rv = SSL_GetExtensionSupport(kManyExtensions[i], &support); ASSERT_EQ(SECSuccess, rv) << "SSL_GetExtensionSupport cannot fail"; diff --git a/gtests/ssl_gtest/ssl_drop_unittest.cc b/gtests/ssl_gtest/ssl_drop_unittest.cc index da4f6626c8..c059e9938d 100644 --- a/gtests/ssl_gtest/ssl_drop_unittest.cc +++ b/gtests/ssl_gtest/ssl_drop_unittest.cc @@ -352,6 +352,9 @@ TEST_F(TlsDropDatagram13, DropSecondHalfOfServerCertificate) { // overlapping message ranges are handled properly; and that extra // retransmissions are handled properly. class TlsFragmentationAndRecoveryTest : public TlsDropDatagram13 { + public: + TlsFragmentationAndRecoveryTest() : cert_len_(0) {} + protected: void RunTest(size_t dropped_half) { FirstFlightDropCertificate(); diff --git a/lib/ssl/dtls13con.c b/lib/ssl/dtls13con.c index e11a7d72a7..aba0f62ab8 100644 --- a/lib/ssl/dtls13con.c +++ b/lib/ssl/dtls13con.c @@ -78,7 +78,7 @@ dtls13_RememberFragment(sslSocket *ss, SECStatus dtls13_SendAck(sslSocket *ss) { - sslBuffer buf = { NULL, 0, 0 }; + sslBuffer buf = SSL_BUFFER_EMPTY; SECStatus rv = SECSuccess; PRCList *cursor; PRInt32 sent; diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c index d490836a5c..ade2809036 100644 --- a/lib/ssl/ssl3ext.c +++ b/lib/ssl/ssl3ext.c @@ -619,7 +619,7 @@ static SECStatus ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message) { - sslBuffer tail = { NULL, 0, 0 }; + sslBuffer tail = SSL_BUFFER_EMPTY; SECStatus rv; PRCList *cursor; diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c index 9476f4fd1e..c0fbda7ab8 100644 --- a/lib/ssl/ssl3exthandle.c +++ b/lib/ssl/ssl3exthandle.c @@ -665,7 +665,7 @@ ssl3_EncodeSessionTicket(sslSocket *ss, const NewSessionTicket *ticket, PK11SymKey *secret, SECItem *ticket_data) { SECStatus rv; - sslBuffer plaintext = { NULL, 0, 0 }; + sslBuffer plaintext = SSL_BUFFER_EMPTY; SECItem ticket_buf = { 0, NULL, 0 }; sslSessionID sid; unsigned char wrapped_ms[SSL3_MASTER_SECRET_LENGTH]; diff --git a/lib/ssl/sslspec.c b/lib/ssl/sslspec.c index 4a251d08a0..26c3eb5462 100644 --- a/lib/ssl/sslspec.c +++ b/lib/ssl/sslspec.c @@ -252,7 +252,8 @@ void ssl_DestroyCipherSpecs(PRCList *list) { while (!PR_CLIST_IS_EMPTY(list)) { - ssl_FreeCipherSpec((ssl3CipherSpec *)PR_LIST_TAIL(list)); + ssl3CipherSpec *spec = (ssl3CipherSpec *)PR_LIST_TAIL(list); + ssl_FreeCipherSpec(spec); } } diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c index e2ec280237..360beae2fa 100644 --- a/lib/ssl/tls13con.c +++ b/lib/ssl/tls13con.c @@ -3075,7 +3075,7 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, /* We use the epoch for cipher suite identification, so increment * it in both TLS and DTLS. */ if ((*specp)->epoch == PR_UINT16_MAX) { - return SECFailure; + goto loser; } spec->epoch = (PRUint16)type; spec->seqNum = 0; @@ -3086,12 +3086,12 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, /* This depends on spec having a valid direction and epoch. */ rv = tls13_SetupPendingCipherSpec(ss, spec); if (rv != SECSuccess) { - return SECFailure; + goto loser; } rv = tls13_DeriveTrafficKeys(ss, spec, type, deleteSecret); if (rv != SECSuccess) { - return SECFailure; + goto loser; } /* Now that we've set almost everything up, finally cut over. */ @@ -3109,6 +3109,10 @@ tls13_SetCipherSpec(sslSocket *ss, TrafficKeyType type, direction == CipherSpecWrite, spec); } return SECSuccess; + +loser: + ssl_CipherSpecRelease(spec); + return SECFailure; } SECStatus