From ca3cd8b7ecb7c06a469bd20ada1282ae5adefb21 Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Thu, 26 Jan 2023 12:51:39 +0100
Subject: [PATCH] [core,nla] fix a memory leak in server nla

Clear destination SecBuffer before calling credssp_auth_decrypt or
credssp_auth_encrypt
---
 libfreerdp/core/nla.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libfreerdp/core/nla.c b/libfreerdp/core/nla.c
index fb2c066ef..3d09d43f6 100644
--- a/libfreerdp/core/nla.c
+++ b/libfreerdp/core/nla.c
@@ -897,6 +897,7 @@ BOOL nla_encrypt_public_key_echo(rdpNla* nla)
 
 	WINPR_ASSERT(nla);
 
+	sspi_SecBufferFree(&nla->pubKeyAuth);
 	if (nla->server)
 	{
 		SecBuffer buf;
@@ -951,8 +952,11 @@ BOOL nla_encrypt_public_key_hash(rdpNla* nla)
 	if (!winpr_Digest_Final(sha256, buf.pvBuffer, WINPR_SHA256_DIGEST_LENGTH))
 		goto out;
 
-	if (credssp_auth_encrypt(nla->auth, &buf, &nla->pubKeyAuth, NULL, nla->sendSeqNum++))
-		status = TRUE;
+	sspi_SecBufferFree(&nla->pubKeyAuth);
+	if (!credssp_auth_encrypt(nla->auth, &buf, &nla->pubKeyAuth, NULL, nla->sendSeqNum++))
+		goto out;
+
+	status = TRUE;
 
 out:
 	winpr_Digest_Free(sha256);
@@ -1272,6 +1276,7 @@ static BOOL nla_encrypt_ts_credentials(rdpNla* nla)
 	if (!nla_encode_ts_credentials(nla))
 		return FALSE;
 
+	sspi_SecBufferFree(&nla->authInfo);
 	if (!credssp_auth_encrypt(nla->auth, &nla->tsCredentials, &nla->authInfo, NULL,
 	                          nla->sendSeqNum++))
 		return FALSE;
@@ -1289,6 +1294,7 @@ static BOOL nla_decrypt_ts_credentials(rdpNla* nla)
 		return FALSE;
 	}
 
+	sspi_SecBufferFree(&nla->tsCredentials);
 	if (!credssp_auth_decrypt(nla->auth, &nla->authInfo, &nla->tsCredentials, nla->recvSeqNum++))
 		return FALSE;