RADIUS server: Fix error paths in new session creation

radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.

Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().

Signed-off-by: Jouni Malinen <j@w1.fi>

src/radius/radius_server.c

@@ -662,14 +662,14 @@ radius_server_get_new_session(struct radius_server_data *data,
 
 	sess->username = os_malloc(user_len * 4 + 1);
 	if (sess->username == NULL) {
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 	printf_encode(sess->username, user_len * 4 + 1, user, user_len);
 
 	sess->nas_ip = os_strdup(from_addr);
 	if (sess->nas_ip == NULL) {
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 
@@ -702,7 +702,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	if (sess->eap == NULL) {
 		RADIUS_DEBUG("Failed to initialize EAP state machine for the "
 			     "new session");
-		radius_server_session_free(data, sess);
+		radius_server_session_remove(data, sess);
 		return NULL;
 	}
 	sess->eap_if = eap_get_interface(sess->eap);