ntlm: free target_info before (re-)malloc

OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379

Closes #5724

diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 3b46e1a4683cbe7de9ecb8e488a5f57550be2d6a..ecfeacb9af8c34762c0f6f2ec4b7519adc745bd2 100644 (file)
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -191,6 +191,7 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
         return CURLE_BAD_CONTENT_ENCODING;
       }
 
+      free(ntlm->target_info); /* replace any previous data */
       ntlm->target_info = malloc(target_info_len);
       if(!ntlm->target_info)
         return CURLE_OUT_OF_MEMORY;