Fix GSS krb5 acceptor acquire_cred error handling

When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle.  If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code.  Memory
leak reported by Andrea Campi.

ticket: 7805
target_version: 1.12.1
tags: pullup

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 0efcad4fe91070150fdccf2516e9173fa1622bdf..9547207b113e8d9a809021bf589d700ab25dff40 100644 (file)
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
                                       &cred->rcache);
         if (code) {
+            krb5_kt_close(context, kt);
             *minor_status = code;
             return GSS_S_FAILURE;
         }
@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
         /* Make sure we have a keytab with keys in it. */
         code = krb5_kt_have_content(context, kt);
         if (code) {
+            krb5_kt_close(context, kt);
             *minor_status = code;
-            return GSS_S_FAILURE;
+            return GSS_S_CRED_UNAVAIL;
         }
     }