From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 29 Jun 2016 02:20:22 +0000 (-0400)
Subject: Fix leak in key change operations
X-Git-Tag: krb5-1.15-beta1~104
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19ad1a36f0c133725981edf3dde8fe078a8285b1;p=thirdparty%2Fkrb5.git

Fix leak in key change operations

In preserve_one_old_key(), if the initial decryption in the current
master key succeeds, free the decrypted keyblock contents before
exiting.

ticket: 8446 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---

diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c
index ead06ec726..03efc28edb 100644
--- a/src/lib/kdb/kdb_cpw.c
+++ b/src/lib/kdb/kdb_cpw.c
@@ -106,6 +106,7 @@ preserve_one_old_key(krb5_context context, krb5_keyblock *mkey,
         /* old_kd is already encrypted in mkey, so just move it. */
         *new_kd = *old_kd;
         memset(old_kd, 0, sizeof(*old_kd));
+        krb5_free_keyblock_contents(context, &kb);
         return 0;
     }