From c7544084565dcee8dd18b2a4d99c594253c656b7 Mon Sep 17 00:00:00 2001
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Date: Sun, 18 Nov 2012 16:52:45 -0500
Subject: ZCheckSrvAuthentication: fix auth context leak

Fix a leak in which we fail to free a Kerberos authentication context
in ZCheckSrvAuthentication if getting or setting the context flags fails.
---
 server/kstuff.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/kstuff.c b/server/kstuff.c
index 38c7a6c..290a1e4 100644
--- a/server/kstuff.c
+++ b/server/kstuff.c
@@ -330,8 +330,10 @@ ZCheckSrvAuthentication(ZNotice_t *notice,
         return ZAUTH_FAILED;
     }
 
+    /* HOLDING: authbuf, keytabid, authctx */
     result = krb5_auth_con_getflags(Z_krb5_ctx, authctx, &acflags);
     if (result) {
+        krb5_auth_con_free(Z_krb5_ctx, authctx);
         krb5_kt_close(Z_krb5_ctx, keytabid);
         free(authbuf);
         syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_auth_con_getflags: %s", error_message(result));
@@ -342,13 +344,13 @@ ZCheckSrvAuthentication(ZNotice_t *notice,
 
     result = krb5_auth_con_setflags(Z_krb5_ctx, authctx, acflags);
     if (result) {
+        krb5_auth_con_free(Z_krb5_ctx, authctx);
         krb5_kt_close(Z_krb5_ctx, keytabid);
         free(authbuf);
         syslog(LOG_DEBUG, "ZCheckSrvAuthentication: krb5_auth_con_setflags: %s", error_message(result));
         return ZAUTH_FAILED;
     }
 
-    /* HOLDING: authbuf, authctx */
     result = krb5_build_principal(Z_krb5_ctx, &server, strlen(__Zephyr_realm),
 				  __Zephyr_realm, SERVER_SERVICE,
 				  SERVER_INSTANCE, NULL);
@@ -359,6 +361,7 @@ ZCheckSrvAuthentication(ZNotice_t *notice,
     }
     krb5_kt_close(Z_krb5_ctx, keytabid);
 
+    /* HOLDING: authbuf, authctx */
     if (result) {
         if (result == KRB5KRB_AP_ERR_REPEAT)
             syslog(LOG_DEBUG, "ZCheckSrvAuthentication: k5 auth failed: %s",
-- 
cgit v1.2.3