ntlm_wb: fix double-free in OOMbagder/ntlm-wb-double-free

Detected by torture testing test 1310

1 files changed, 6 insertions, 11 deletions

diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 80266e2a4..30b54de44 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn)
     conn->ntlm_auth_hlpr_pid = 0;
   }
 
-  free(conn->challenge_header);
-  conn->challenge_header = NULL;
-  free(conn->response_header);
-  conn->response_header = NULL;
+  Curl_safefree(conn->challenge_header);
+  Curl_safefree(conn->response_header);
 }
 
 static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp)
@@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
   struct auth *authp;
 
   CURLcode res = CURLE_OK;
-  char *input;
 
   DEBUGASSERT(conn);
   DEBUGASSERT(conn->data);
@@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
                             proxy ? "Proxy-" : "",
                             conn->response_header);
     DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd));
-    free(conn->response_header);
+    Curl_safefree(conn->response_header);
     if(!*allocuserpwd)
       return CURLE_OUT_OF_MEMORY;
-    conn->response_header = NULL;
     break;
 
-  case NTLMSTATE_TYPE2:
-    input = aprintf("TT %s\n", conn->challenge_header);
+  case NTLMSTATE_TYPE2: {
+    char *input = aprintf("TT %s\n", conn->challenge_header);
     if(!input)
       return CURLE_OUT_OF_MEMORY;
     res = ntlm_wb_response(conn, input, *state);
     free(input);
-    input = NULL;
     if(res)
       return res;
 
@@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn,
     if(!*allocuserpwd)
       return CURLE_OUT_OF_MEMORY;
     break;
-
+  }
   case NTLMSTATE_TYPE3:
     /* connection is already authenticated,
      * don't send a header in future requests */