From 0995c914bd6406264e24b44278bbc806c43ba67c Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Mon, 11 May 2026 15:04:19 +0200
Subject: [PATCH] BUG/MINOR: tools: fix memory leak in env_expand() error path

When my_realloc2() fails in env_expand(), the code jumps to 'leave:' and
returns NULL, but the original input 'in' is never freed (it's only freed
at line 4919 in the success case). Given that callers typically pass it
the direct return of strdup(), it looks like it is expected to always be
freed. This can be backported everywhere.
---
 src/tools.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/tools.c b/src/tools.c
index 268951629..23a865a8c 100644
--- a/src/tools.c
+++ b/src/tools.c
@@ -4900,8 +4900,10 @@ char *env_expand(char *in)
 		}
 
 		out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1);
-		if (!out)
+		if (!out) {
+			free(in);
 			goto leave;
+		}
 
 		if (txt_end > txt_beg) {
 			memcpy(out + out_len, txt_beg, txt_end - txt_beg);
-- 
2.47.3