From 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 7 Dec 2022 20:13:25 +1300
Subject: [PATCH] CVE-2022-44640 source4/heimdal: Fix use-after-free when
 decoding PA-ENC-TS-ENC

Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/heimdal/kdc/kerberos5.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index ad026dd617b..bda61e69df2 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context,
 			client_name);
 		continue;
 	    }
-	    free_PA_ENC_TS_ENC(&p);
 	    if (abs(kdc_time - p.patimestamp) > context->max_skew) {
 		char client_time[100];
 
@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context,
 		 * there is a e_text, they become unhappy.
 		 */
 		e_text = NULL;
+		free_PA_ENC_TS_ENC(&p);
 		goto out;
 	    }
+	    free_PA_ENC_TS_ENC(&p);
 	    et.flags.pre_authent = 1;
 
 	    set_salt_padata(rep.padata, pa_key->salt);
-- 
2.47.2