From 3e5f7709e1928f1e814c427f2811d9204a167439 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 28 Jun 2016 14:52:31 -0400
Subject: [PATCH] Fix krb5_get_init_creds_password() pwchange leak

When krb5_get_init_creds_password() attempts to change the password,
make sure to free code_string along all exit paths.

ticket: 8440 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
 src/lib/krb5/krb/gic_pwd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 55aa9d6e88..6f3a29f2c4 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -442,6 +442,7 @@ krb5_get_init_creds_password(krb5_context context,
             /* the change succeeded.  go on */
 
             if (result_code == 0) {
+                free(code_string.data);
                 free(result_string.data);
                 break;
             }
@@ -451,6 +452,7 @@ krb5_get_init_creds_password(krb5_context context,
             ret = KRB5_CHPW_FAIL;
 
             if (result_code != KRB5_KPASSWD_SOFTERROR) {
+                free(code_string.data);
                 free(result_string.data);
                 goto cleanup;
             }
-- 
2.47.2