From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 26 Jul 2020 15:00:48 +0000 (+0200)
Subject: ntlm: free target_info before (re-)malloc
X-Git-Tag: curl-7_72_0~85
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=376d5bb323c03c0fc4af266c03abac8f067fbd0e;p=thirdparty%2Fcurl.git

ntlm: free target_info before (re-)malloc

OSS-Fuzz found a way this could get called again with the pointer still
pointing to a malloc'ed memory, leading to a leak.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379

Closes #5724
---

diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 3b46e1a468..ecfeacb9af 100644
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -191,6 +191,7 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
         return CURLE_BAD_CONTENT_ENCODING;
       }
 
+      free(ntlm->target_info); /* replace any previous data */
       ntlm->target_info = malloc(target_info_len);
       if(!ntlm->target_info)
         return CURLE_OUT_OF_MEMORY;