Free resources when gss_accept_sec_context() fails

Even if a call to gss_accept_sec_context() fails, it might still cause a
GSS-API response token to be allocated and left for the caller to
release.  Make sure the token is released before an early return from
dst_gssapi_acceptctx().

(cherry picked from commit d954e152d9f2901118b1fe36d3931ec244317fab)

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 549bd47f786390a7fbd29595538f0a7c2bbbafd8..482c25e1cccb9aeeb92afcbebc341bbc26f9b18f 100644 (file)
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -715,6 +715,9 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
        default:
                gss_log(3, "failed gss_accept_sec_context: %s",
                        gss_error_tostring(gret, minor, buf, sizeof(buf)));
+               if (gouttoken.length > 0U) {
+                       (void)gss_release_buffer(&minor, &gouttoken);
+               }
                return (result);
        }