Fix leak on error in kadm5 randkey handling

An attempt to change the kadmin/history key with the -keepold flag
would leak the KDB entry and keysalt tuple as it returned an error.
Use the cleanup handler instead of returning directly.  Reported by
Bean Zhang.

(cherry picked from commit c4bdb3a1c890149a472ed98a94cf85316b143265)

ticket: 8759
version_fixed: 1.15.4

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index a35c24900192f85e393bff4f66b7520c21d30736..cb76780a2a8cb937b60aecf715f4a7058ffffad7 100644 (file)
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1582,8 +1582,10 @@ kadm5_randkey_principal_3(void *server_handle,
     if (krb5_principal_compare(handle->context, principal, hist_princ)) {
         /* If changing the history entry, the new entry must have exactly one
          * key. */
-        if (keepold)
-            return KADM5_PROTECT_PRINCIPAL;
+        if (keepold) {
+            ret = KADM5_PROTECT_PRINCIPAL;
+            goto done;
+        }
         new_n_ks_tuple = 1;
     }