From 9dc64a7402bfde2c8f3cadebc47db32ca133feb6 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Tue, 14 Apr 2026 11:05:51 +0530
Subject: [PATCH] fix(protocomm): pass current session id when closing existing
 session

sec1_new_session()/sec2_new_session() were calling sec*_close_session()
with the *new* session_id parameter instead of the existing
cur_session->id. The close handler validates `cur_session->id ==
session_id` before performing teardown, so the call always failed with
ESP_ERR_INVALID_STATE.

Effect: when a peer started a new provisioning session while another was
already active, the previous session's PSA keys, AES context, SRP handle
and username buffer were leaked instead of being destroyed. The cleared
session struct was overwritten by the new session, leaking the previous
key handles inside PSA Crypto and (for security2) leaking heap memory
for the username and SRP context.

Fix: pass cur_session->id so the close path actually executes the
teardown (psa_destroy_key/psa_cipher_abort/esp_srp_free/free) before the
new session takes over.
---
 components/protocomm/src/security/security1.c | 2 +-
 components/protocomm/src/security/security2.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/components/protocomm/src/security/security1.c b/components/protocomm/src/security/security1.c
index 9afdcce626..f4df68ec56 100644
--- a/components/protocomm/src/security/security1.c
+++ b/components/protocomm/src/security/security1.c
@@ -491,7 +491,7 @@ static esp_err_t sec1_new_session(protocomm_security_handle_t handle, uint32_t s
     if (cur_session->id != -1) {
         /* Only one session is allowed at a time */
         ESP_LOGE(TAG, "Closing old session with id %" PRIu32, cur_session->id);
-        sec1_close_session(cur_session, session_id);
+        sec1_close_session(cur_session, cur_session->id);
     }
 
     cur_session->id = session_id;
diff --git a/components/protocomm/src/security/security2.c b/components/protocomm/src/security/security2.c
index 7076e82b6c..286bfc9843 100644
--- a/components/protocomm/src/security/security2.c
+++ b/components/protocomm/src/security/security2.c
@@ -422,7 +422,7 @@ static esp_err_t sec2_new_session(protocomm_security_handle_t handle, uint32_t s
     if (cur_session->id != -1) {
         /* Only one session is allowed at a time */
         ESP_LOGE(TAG, "Closing old session with id %" PRIu32, cur_session->id);
-        sec2_close_session(cur_session, session_id);
+        sec2_close_session(cur_session, cur_session->id);
     }
 
     cur_session->id = session_id;