From 9c1cf966643117368119168465b9ac783b636164 Mon Sep 17 00:00:00 2001
From: Marcel Raad <raad@teamviewer.com>
Date: Thu, 24 Jul 2014 18:55:12 +0200
Subject: SSPI Negotiate: Fix 3 memory leaks

Curl_base64_decode allocates the output string by itself and two other
strings were not freed either.
---
 lib/http_negotiate_sspi.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'lib/http_negotiate_sspi.c')

diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
index 84e5ebf89..3c5680c4f 100644
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@@ -136,10 +136,6 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
       return -1;
   }
   else {
-    input_token = malloc(neg_ctx->max_token_length);
-    if(!input_token)
-      return -1;
-
     error = Curl_base64_decode(header,
                                (unsigned char **)&input_token,
                                &input_token_len);
@@ -186,6 +182,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
     &lifetime);
 
   Curl_unicodefree(sname);
+  Curl_safefree(input_token);
 
   if(GSS_ERROR(neg_ctx->status))
     return -1;
@@ -226,10 +223,14 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy)
   userp = aprintf("%sAuthorization: Negotiate %s\r\n", proxy ? "Proxy-" : "",
                   encoded);
 
-  if(proxy)
+  if(proxy) {
+    Curl_safefree(conn->allocptr.proxyuserpwd);
     conn->allocptr.proxyuserpwd = userp;
-  else
+  }
+  else {
+    Curl_safefree(conn->allocptr.userpwd);
     conn->allocptr.userpwd = userp;
+  }
   free(encoded);
   return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK;
 }
-- 
cgit v1.2.3