auth_diameter: avoid double free in case of error and don't access freed pointer

modules/auth_diameter/authorize.c

@@ -478,9 +478,9 @@ int diameter_authorize(struct hdr_field* hdr, str* p_method, struct sip_uri uri,
 	{
 		port_flag = 1;	
 		memcpy(user_name.s+ruri.user.len+ruri.host.len+1, ":", 1);
-	}	
-	memcpy(user_name.s+ruri.user.len+ruri.host.len+name_flag+port_flag, 
+		memcpy(user_name.s+ruri.user.len+ruri.host.len+name_flag+port_flag, 
 					ruri.port.s, ruri.port.len);
+	}
 #ifdef DEBUG
 	LM_DBG(": AVP_Resource=%.*s\n", user_name.len, user_name.s);
 #endif

modules/auth_diameter/tcp_comm.c

@@ -310,7 +310,7 @@ next:
 				break;
 			}
 			rb->chall_len=avp->data.len;
-			rb->chall = (unsigned char*)pkg_malloc(avp->data.len*sizeof(char));
+			rb->chall = (unsigned char*)pkg_malloc(avp->data.len*sizeof(unsigned char));
 			if(rb->chall == NULL)
 			{
 				LM_ERR("no more pkg memory\n");

modules/auth_diameter/user_in.c

@@ -103,6 +103,7 @@ int diameter_is_user_in(struct sip_msg* _m, char* _hf, char* _group)
 	AAA_AVP *avp; 
 	int ret;
 	unsigned int tmp;
+	char *p = NULL;
 
 	grp = (str*)_group; /* via fixup */
 
@@ -174,12 +175,13 @@ int diameter_is_user_in(struct sip_msg* _m, char* _hf, char* _group)
 		if(user_name.len>0)
 		{
 			user_name.len++;
-			user_name.s = (char*)pkg_malloc(user_name.len);
-			if (!user_name.s) 
+			p = (char*)pkg_malloc(user_name.len);
+			if (!p)
 			{
 				LM_ERR("no pkg memory left\n");
 				return -6;
 			}
+			user_name.s = p;
 		
 			memcpy(user_name.s, user.s, user.len);
 			if(user.len>0)
@@ -198,6 +200,7 @@ int diameter_is_user_in(struct sip_msg* _m, char* _hf, char* _group)
 	if ( (req=AAAInMessage(AA_REQUEST, AAA_APP_NASREQ))==NULL)
 	{
 		LM_ERR("can't create new AAA message!\n");
+		if(p) pkg_free(p);
 		return -1;
 	}