From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 27 Feb 2018 16:56:58 +0000 (-0500)
Subject: Fix KDC encrypting key memory leak on some errors
X-Git-Tag: krb5-1.15.3-final~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b294627169fba270dbd78cff5e1408a21051b266;p=thirdparty%2Fkrb5.git

Fix KDC encrypting key memory leak on some errors

Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
allocation and destruction of encrypting_key, causing it to leak when
any of the intervening calls jump to the cleanup label.  Currently the
leak manifests on transited or authdata failures.  Move encrypting_key
destruction to the cleanup label so that it can't leak.  Reported by
anedvedicky@gmail.com.

(cherry picked from commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3)

ticket: 8645
version_fixed: 1.15.3
---

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 339259fd1e..1000a104a1 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     memset(&reply_encpart, 0, sizeof(reply_encpart));
     memset(&ticket_reply, 0, sizeof(ticket_reply));
     memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
+    memset(&encrypting_key, 0, sizeof(encrypting_key));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -721,8 +722,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
                                     &ticket_reply);
-    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
-        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (errcode) {
         status = "ENCRYPT_TICKET";
         goto cleanup;
@@ -825,6 +824,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 cleanup:
     if (status == NULL)
         status = "UNKNOWN_REASON";
+    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)