onion: Do not leak parsed TLV if it is invalid

We were freeing the payload but not the TLV from which we extracted the
payload.

common/onion.c

@@ -243,9 +243,11 @@ struct onion_payload *onion_decode(const tal_t *ctx,
 	case ONION_TLV_PAYLOAD:
 		tlv = tlv_tlv_payload_new(p);
 		if (!fromwire_tlv_payload(&cursor, &max, tlv))
-			return tal_free(p);
-		if (!tlv_payload_is_valid(tlv, NULL))
-			return tal_free(p);
+			goto fail;
+
+		if (!tlv_payload_is_valid(tlv, failtlvpos))
+			goto fail;
+
 
 		/* BOLT #4:
 		 *
@@ -254,7 +256,7 @@ struct onion_payload *onion_decode(const tal_t *ctx,
 		 *     `outgoing_cltv_value` are not present.
 		 */
 		if (!tlv->amt_to_forward || !tlv->outgoing_cltv_value)
-			return tal_free(p);
+			goto fail;
 
 		amount_msat_from_u64(&p->amt_to_forward,
 				     tlv->amt_to_forward->amt_to_forward);
@@ -269,7 +271,7 @@ struct onion_payload *onion_decode(const tal_t *ctx,
 		 */
 		if (rs->nextcase == ONION_FORWARD) {
 			if (!tlv->short_channel_id)
-				return tal_free(p);
+				goto fail;
 			p->forward_channel = tal(p, struct short_channel_id);
 			*p->forward_channel
 				= tlv->short_channel_id->short_channel_id;
@@ -300,4 +302,8 @@ struct onion_payload *onion_decode(const tal_t *ctx,
 
 	/* You said it was a valid type! */
 	abort();
+fail:
+	tal_free(tlv);
+	tal_free(p);
+	return NULL;
 }