session_in/out not reset in mbedtls_ssl_session_reset()

[hanno-becker]

Problem: mbedtls_ssl_session_reset(), specifically the underlying ssl_session_reset_int(), does not reset the pointers mbedtls_ssl_context::session_in and mbedtls_ssl_context:session_out, but it does free and NULLify the mbedtls_ssl_context::session to which they map after a successful handshake. This leaves them dangling and e.g. makes a subsequent call to mbedtls_ssl_get_max_frag_len() fail with a segmentation fault (see here for the failing access).

Further accesses: There is another entirely unrestricted access to session_out in mbedtls_ssl_get_record_expansion(), i.e. not even guarded by a check that session_out != NULL (moving the subsequent check transform_out != NULL prior to the access would solve the matter).
Apart from that, there don't seem to be further critical accesses to session_in/out: There is an access in ssl_encrypt_buf(), but this is guarded by transform_out != NULL, and transform_out is properly reset in mbedtls_ssl_sessoin_reset(). The same holds for the access in mbedtls_ssl_write_record(). There are similar accesses to session_in in ssl_decrypt_buf() and ssl_prepare_record_content() which are non-critical because they are guarded by a check that transform_in != NULL.

[ciarmcom]

ARM Internal Ref: IOTSSL-2467