From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 6 Feb 2026 16:50:55 +0000 (+0100)
Subject: Release gnamebuf also on the error path
X-Git-Tag: v9.21.19~33^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ad87f1ad612fb6adce175760483735066300266;p=thirdparty%2Fbind9.git

Release gnamebuf also on the error path

In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail.  This would
require a Kerberos principal with invalid DNS name.
---

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index bebad476775..b500e94cdaa 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -503,15 +503,6 @@ dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
 		isc_buffer_add(&namebuf, r.length);
 
 		CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0));
-
-		if (gnamebuf.length != 0U) {
-			gret = gss_release_buffer(&minor, &gnamebuf);
-			if (gret != GSS_S_COMPLETE) {
-				gss_log(3, "failed gss_release_buffer: %s",
-					gss_error_tostring(gret, minor, buf,
-							   sizeof(buf)));
-			}
-		}
 	} else {
 		result = DNS_R_CONTINUE;
 	}
@@ -519,6 +510,15 @@ dst_gssapi_acceptctx(const char *gssapi_keytab, isc_region_t *intoken,
 	*ctxout = context;
 
 cleanup:
+	if (gnamebuf.length != 0U) {
+		gret = gss_release_buffer(&minor, &gnamebuf);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_release_buffer: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+		}
+	}
+
 	if (gname != NULL) {
 		gret = gss_release_name(&minor, &gname);
 		if (gret != GSS_S_COMPLETE) {