From 022ff7d0fd38505dbd87d7224ca20d1cdc729f01 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 24 Jan 2013 02:26:43 +0100
Subject: BUG/MEDIUM: uri_auth: missing NULL check and memory leak on memory shortage

A test is obviously wrong in uri_auth(). If strdup(pass) returns an error
while strdup(user) passes, the NULL pointer is still stored into the
structure. If the user returns the NULL instead, the allocated memory is
not released before returning the error.

The issue was present in 1.4 so the fix should be backported.

Reported-by: Dinko Korunic <dkorunic@reflected.net>
(cherry picked from commit 0b291bdef1b9b6b539f44aa896eb1211c57a67a5)
---
 src/uri_auth.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/uri_auth.c b/src/uri_auth.c
index fdbcef0..2344ac6 100644
--- a/src/uri_auth.c
+++ b/src/uri_auth.c
@@ -247,12 +247,19 @@ struct uri_auth *stats_add_auth(struct uri_auth **root, char *user)
 		return NULL;
 
 	newuser->user = strdup(user);
-	newuser->pass = strdup(pass);
-	newuser->flags |= AU_O_INSECURE;
+	if (!newuser->user) {
+		free(newuser);
+		return NULL;
+	}
 
-	if (!newuser->user || !newuser->user)
+	newuser->pass = strdup(pass);
+	if (!newuser->pass) {
+		free(newuser->user);
+		free(newuser);
 		return NULL;
+	}
 
+	newuser->flags |= AU_O_INSECURE;
 	newuser->next = u->userlist->users;
 	u->userlist->users = newuser;
 
-- 
1.7.1