Fix KDC encrypting key memory leak on some errors

Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label.  Currently the
leak manifests on transited or authdata failures.  Move encrypting_key
destruction to the cleanup label so that it can't leak.  Reported by
anedvedicky@gmail.com.

ticket: 8645 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cc5a6923629a111cf07c63897881652f6c1437b6..fca01db9d11523cf168b23571eab2b2c2bab7095 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     memset(&reply_encpart, 0, sizeof(reply_encpart));
     memset(&ticket_reply, 0, sizeof(ticket_reply));
     memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
+    memset(&encrypting_key, 0, sizeof(encrypting_key));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -719,8 +720,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
                                     &ticket_reply);
-    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
-        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (errcode)
         goto cleanup;
     ticket_reply.enc_part.kvno = ticket_kvno;
@@ -810,6 +809,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 cleanup:
     if (status == NULL)
         status = "UNKNOWN_REASON";
+    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)