Fix leak in key change operations

In preserve_one_old_key(), if the initial decryption in the current
master key succeeds, free the decrypted keyblock contents before
exiting.

ticket: 8446 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index ead06ec7261b5b9500f930e2173cd034da22ed01..03efc28edb7473d6e285da46c9f35fc06a801453 100644 (file)
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -106,6 +106,7 @@ preserve_one_old_key(krb5_context context, krb5_keyblock *mkey,
         /* old_kd is already encrypted in mkey, so just move it. */
         *new_kd = *old_kd;
         memset(old_kd, 0, sizeof(*old_kd));
+        krb5_free_keyblock_contents(context, &kb);
         return 0;
     }