From: Willy Tarreau <w@1wt.eu>
Date: Thu, 24 Jan 2013 01:26:43 +0000 (+0100)
Subject: BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage
X-Git-Tag: v1.5-dev18~112
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b291bdef1b9b6b539f44aa896eb1211c57a67a5;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage

A test is obviously wrong in uri_auth(). If strdup(pass) returns an error
while strdup(user) passes, the NULL pointer is still stored into the
structure. If the user returns the NULL instead, the allocated memory is
not released before returning the error.

The issue was present in 1.4 so the fix should be backported.

Reported-by: Dinko Korunic <dkorunic@reflected.net>
---

diff --git a/src/uri_auth.c b/src/uri_auth.c
index 5a9284931e..837b71256b 100644
--- a/src/uri_auth.c
+++ b/src/uri_auth.c
@@ -247,12 +247,19 @@ struct uri_auth *stats_add_auth(struct uri_auth **root, char *user)
 		return NULL;
 
 	newuser->user = strdup(user);
-	newuser->pass = strdup(pass);
-	newuser->flags |= AU_O_INSECURE;
+	if (!newuser->user) {
+		free(newuser);
+		return NULL;
+	}
 
-	if (!newuser->user || !newuser->user)
+	newuser->pass = strdup(pass);
+	if (!newuser->pass) {
+		free(newuser->user);
+		free(newuser);
 		return NULL;
+	}
 
+	newuser->flags |= AU_O_INSECURE;
 	newuser->next = u->userlist->users;
 	u->userlist->users = newuser;