Commit 51fc8443c1 for qemu.org

commit 51fc8443c122fedf4d4891bbc3a1ff25dd8bacdf
Author: GuoHan Zhao <zhaoguohan@kylinos.cn>
Date:   Fri Mar 20 14:30:16 2026 +0800

    block/curl: free s->password in cleanup paths

    When password-secret is used, curl_open() resolves it with
    qcrypto_secret_lookup_as_utf8() and stores the returned buffer in
    s->password.

    Unlike s->proxypassword, s->password is not freed either in the open
    failure path or in curl_close(), so the resolved secret leaks once it
    has been allocated.

    Free s->password in both cleanup paths.

    Fixes: 1bff96064290 ('curl: add support for HTTP authentication parameters')
    Signed-off-by: GuoHan Zhao <zhaoguohan@kylinos.cn>
    Message-ID: <20260320063016.262954-1-zhaoguohan_salmon@163.com>
    Reviewed-by: Kevin Wolf <kwolf@redhat.com>
    Signed-off-by: Kevin Wolf <kwolf@redhat.com>

diff --git a/block/curl.c b/block/curl.c
index 66aecfb20e..419df78258 100644
--- a/block/curl.c
+++ b/block/curl.c
@@ -903,6 +903,7 @@ out_noclean:
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
     if (s->sockets) {
@@ -1014,6 +1015,7 @@ static void curl_close(BlockDriverState *bs)
     g_free(s->cookie);
     g_free(s->url);
     g_free(s->username);
+    g_free(s->password);
     g_free(s->proxyusername);
     g_free(s->proxypassword);
 }