From d64409fdb2a03b80eabfb8219ede129a18534c26 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Fri, 26 Jun 2026 18:44:49 +0800 Subject: [PATCH] fix(esp_https_server): free TLS session on transport_ctx OOM in httpd_ssl_open --- components/esp_https_server/src/https_server.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c index 2184228087a..7424f5effdb 100644 --- a/components/esp_https_server/src/https_server.c +++ b/components/esp_https_server/src/https_server.c @@ -198,6 +198,10 @@ static esp_err_t httpd_ssl_open(httpd_handle_t server, int sockfd) esp_https_server_last_error_t last_error = {0}; last_error.last_error = ESP_ERR_NO_MEM; http_dispatch_event_to_event_loop(HTTPS_SERVER_EVENT_ERROR, &last_error, sizeof(last_error)); + /* The TLS session (and its underlying socket fd) is already established; free it + * before returning so a failed connection under memory pressure does not leak the + * SSL context and the socket (CWE-401 / CWE-772). */ + esp_tls_server_session_delete(tls); return ESP_ERR_NO_MEM; } transport_ctx->tls = tls;