Free resources when gss_accept_sec_context() fails

Even if a call to gss_accept_sec_context() fails, it might still cause a
GSS-API response token to be allocated and left for the caller to
release.  Make sure the token is released before an early return from
dst_gssapi_acceptctx().

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index ee512041fe6ea5e9846f39c6a4a6e93d6851b741..6132d863e6bf7029500dffa197d8f22a86471065 100644 (file)
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -739,6 +739,9 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
        default:
                gss_log(3, "failed gss_accept_sec_context: %s",
                        gss_error_tostring(gret, minor, buf, sizeof(buf)));
+               if (gouttoken.length > 0U) {
+                       (void)gss_release_buffer(&minor, &gouttoken);
+               }
                return (result);
        }