curl: fix memory leak when -h is used in config file

Reported-by: antypanty on hackerone

Add test 748 to reproduce and verify fix

Closes #17306

src/tool_cfgable.h

@@ -350,7 +350,6 @@ struct GlobalConfig {
   FILE *trace_stream;
   char *libcurl;                  /* Output libcurl code to this filename */
   char *ssl_sessions;             /* file to load/save SSL session tickets */
-  char *help_category;            /* The help category, if set */
   char *knownhosts;               /* known host path, if set. curl_free()
                                      this */
   struct tool_var *variables;

src/tool_getparam.c

@@ -37,6 +37,7 @@
 #include "tool_parsecfg.h"
 #include "tool_main.h"
 #include "tool_stderr.h"
+#include "tool_help.h"
 #include "var.h"
 
 #include <memdebug.h> /* keep this as LAST include */
@@ -2750,13 +2751,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
       break;
     case C_HELP: /* --help */
       if(toggle) {
-        if(*nextarg) {
-          global->help_category = strdup(nextarg);
-          if(!global->help_category) {
-            err = PARAM_NO_MEM;
-            break;
-          }
-        }
+        tool_help((nextarg && *nextarg) ? nextarg : NULL);
         err = PARAM_HELP_REQUESTED;
       }
       /* we now actually support --no-help too! */

src/tool_help.c

@@ -223,7 +223,7 @@ bool helpscan(const unsigned char *buf, size_t len, struct scan_ctx *ctx)
 
 #endif
 
-void tool_help(char *category)
+void tool_help(const char *category)
 {
   unsigned int cols = get_terminal_columns();
   /* If no category was provided */
@@ -255,7 +255,7 @@ void tool_help(char *category)
     /* command line option help */
     const struct LongShort *a = NULL;
     if(category[1] == '-') {
-      char *lookup = &category[2];
+      const char *lookup = &category[2];
       bool noflagged = FALSE;
       if(!strncmp(lookup, "no-", 3)) {
         lookup += 3;
@@ -299,7 +299,6 @@ void tool_help(char *category)
     puts("Unknown category provided, here is a list of all categories:\n");
     get_categories();
   }
-  free(category);
 }
 
 static bool is_debug(void)

src/tool_help.h

@@ -25,7 +25,7 @@
  ***************************************************************************/
 #include "tool_setup.h"
 
-void tool_help(char *category);
+void tool_help(const char *category);
 void tool_list_engines(void);
 void tool_version_info(void);
 struct scan_ctx {

src/tool_operate.c

@@ -3189,7 +3189,7 @@ CURLcode operate(struct GlobalConfig *global, int argc, argv_item_t argv[])
 
       /* Check if we were asked for the help */
       if(res == PARAM_HELP_REQUESTED)
-        tool_help(global->help_category);
+        ; /* already done */
       /* Check if we were asked for the manual */
       else if(res == PARAM_MANUAL_REQUESTED) {
 #ifdef USE_MANUAL

tests/data/Makefile.am

@@ -107,7 +107,7 @@ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
 test718 test719 test720 test721 test722 test723 test724 test725 test726 \
 test727 test728 test729 test730 test731 test732 test733 test734 test735 \
 test736 test737 test738 test739 test740 test741 test742 test743 test744 \
-test745 test746 test747 \
+test745 test746 test747 test748 \
 \
 test780 test781 test782 test783 test784 test785 test786 test787 test788 \
 test789 test790 test791 \

tests/data/test748

@@ -0,0 +1,36 @@
+<testcase>
+<info>
+<keywords>
+--config
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+
+<server>
+none
+</server>
+<name>
+A --config file that uses -h and no URL
+</name>
+<file name="%LOGDIR/cmd">
+-h all
+</file>
+<command>
+-K %LOGDIR/cmd
+</command>
+</client>
+
+<verify>
+<errorcode>
+2
+</errorcode>
+</verify>
+</testcase>