SSPI Negotiate: Fix 3 memory leaks

Curl_base64_decode allocates the output string by itself and two other
strings were not freed either.

1 files changed, 7 insertions, 6 deletions

diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
index 84e5ebf89..3c5680c4f 100644
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -136,10 +136,6 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
       return -1;
   }
   else {
-    input_token = malloc(neg_ctx->max_token_length);
-    if(!input_token)
-      return -1;
-
     error = Curl_base64_decode(header,
                                (unsigned char **)&input_token,
                                &input_token_len);
@@ -186,6 +182,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     &lifetime);
 
   Curl_unicodefree(sname);
+  Curl_safefree(input_token);
 
   if(GSS_ERROR(neg_ctx->status))
     return -1;
@@ -226,10 +223,14 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
   userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
                   encoded);
 
-  if(proxy)
+  if(proxy) {
+    Curl_safefree(conn->allocptr.proxyuserpwd);
     conn->allocptr.proxyuserpwd = userp;
-  else
+  }
+  else {
+    Curl_safefree(conn->allocptr.userpwd);
     conn->allocptr.userpwd = userp;
+  }
   free(encoded);
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
 }