curl_sasl: Fix memory leak in digest parser

If any parameter in a HTTP DIGEST challenge message is present multiple
times, memory allocated for all but the last entry should be freed.

Bug: https://github.com/curl/curl/pull/667

1 files changed, 6 insertions, 0 deletions

diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
index f6677ece7..ef6283c5a 100644
--- a/lib/curl_sasl.c
+++ b/lib/curl_sasl.c
@@ -782,6 +782,7 @@ CURLcode Curl_sasl_decode_digest_http_message(const char *chlg,
     /* Extract a value=content pair */
     if(!Curl_sasl_digest_get_pair(chlg, value, content, &chlg)) {
       if(Curl_raw_equal(value, "nonce")) {
+        free(digest->nonce);
         digest->nonce = strdup(content);
         if(!digest->nonce)
           return CURLE_OUT_OF_MEMORY;
@@ -793,11 +794,13 @@ CURLcode Curl_sasl_decode_digest_http_message(const char *chlg,
         }
       }
       else if(Curl_raw_equal(value, "realm")) {
+        free(digest->realm);
         digest->realm = strdup(content);
         if(!digest->realm)
           return CURLE_OUT_OF_MEMORY;
       }
       else if(Curl_raw_equal(value, "opaque")) {
+        free(digest->opaque);
         digest->opaque = strdup(content);
         if(!digest->opaque)
           return CURLE_OUT_OF_MEMORY;
@@ -825,17 +828,20 @@ CURLcode Curl_sasl_decode_digest_http_message(const char *chlg,
 
         /* Select only auth or auth-int. Otherwise, ignore */
         if(foundAuth) {
+          free(digest->qop);
           digest->qop = strdup(DIGEST_QOP_VALUE_STRING_AUTH);
           if(!digest->qop)
             return CURLE_OUT_OF_MEMORY;
         }
         else if(foundAuthInt) {
+          free(digest->qop);
           digest->qop = strdup(DIGEST_QOP_VALUE_STRING_AUTH_INT);
           if(!digest->qop)
             return CURLE_OUT_OF_MEMORY;
         }
       }
       else if(Curl_raw_equal(value, "algorithm")) {
+        free(digest->algorithm);
         digest->algorithm = strdup(content);
         if(!digest->algorithm)
           return CURLE_OUT_OF_MEMORY;