Fix memory leak on error in KDC decrypt_2ndtkt()

Make sure to release the server principal entry in the cleanup handler
if it is not assigned to the output parameter.  Reported by Will
Fiveash.

ticket: 8362
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cb2cf357731b13e9b661142447a7e8adedfb29b9..a52c960478021f53c44959764f2b4f50f3688425 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -975,7 +975,7 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
                const char **status)
 {
     krb5_error_code retval;
-    krb5_db_entry *server;
+    krb5_db_entry *server = NULL;
     krb5_keyblock *key;
     krb5_kvno kvno;
     krb5_ticket *stkt;
@@ -1002,7 +1002,9 @@ decrypt_2ndtkt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req,
         goto cleanup;
     }
     *server_out = server;
+    server = NULL;
 cleanup:
+    krb5_db_free_principal(kdc_context, server);
     return retval;
 }