From 09eacb8b24884f89da7a4d6ceaa4dafbe0f67b67 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sat, 4 Nov 2023 08:56:01 +0100
Subject: [PATCH] BUG/MINOR: server: remove some incorrect free() calls on null
 elements

In commit 6f4bfed3a ("MINOR: server: Add parser support for
set-proxy-v2-tlv-fmt") a few free() calls were made to an element on
error path when it was detected it was NULL. It doesn't have any
effect, however there was one case of use-after-free at the end of
srv_settings_cpy() that was caught by gcc due to attempting to free
the element after freeing its holder.

No backport is needed.
---
 src/server.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/server.c b/src/server.c
index 488b6663b..6e9e19564 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1372,7 +1372,6 @@ static int srv_parse_set_proxy_v2_tlv_fmt(char **args, int *cur_arg,
 	srv_tlv->fmt_string = strdup(args[*cur_arg + 1]);
 	if (unlikely(!srv_tlv->fmt_string)) {
 		memprintf(err, "'%s' : failed to save format string for parsing", args[*cur_arg]);
-		free(srv_tlv->fmt_string);
 		goto fail;
 	}
 
@@ -2519,13 +2518,11 @@ void srv_settings_cpy(struct server *srv, const struct server *src, int srv_tmpl
 			break;
 		new_srv_tlv = malloc(sizeof(struct srv_pp_tlv_list));
 		if (unlikely(!new_srv_tlv)) {
-			free(new_srv_tlv);
 			break;
 		}
 		new_srv_tlv->fmt_string = strdup(srv_tlv->fmt_string);
 		if (unlikely(!new_srv_tlv->fmt_string)) {
 			free(new_srv_tlv);
-			free(new_srv_tlv->fmt_string);
 			break;
 		}
 		new_srv_tlv->type = srv_tlv->type;