krb5 commit [krb5-1.11]: Fix GSS krb5 acceptor acquire_cred error handling

Thu Jan 16 15:46:34 EST 2014

https://github.com/krb5/krb5/commit/35f29b11861ca3cac611872a6ce023be0972bf5b
commit 35f29b11861ca3cac611872a6ce023be0972bf5b
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Dec 16 15:37:56 2013 -0500

    Fix GSS krb5 acceptor acquire_cred error handling
    
    When acquiring acceptor creds with a specified name, if we fail to
    open a replay cache, we leak the keytab handle.  If there is no
    specified name and we discover that there is no content in the keytab,
    we leak the keytab handle and return the wrong major code.  Memory
    leak reported by Andrea Campi.
    
    (cherry picked from commit decccbcb5075f8fbc28a535a9b337afc84a15dee)
    
    ticket: 7829 (new)
    version_fixed: 1.11.5
    status: resolved

 src/lib/gssapi/krb5/acquire_cred.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 258ec74..af3928a 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -241,6 +241,7 @@ acquire_accept_cred(krb5_context context,
         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
                                       &cred->rcache);
         if (code) {
+            krb5_kt_close(context, kt);
             *minor_status = code;
             return GSS_S_FAILURE;
         }
@@ -248,8 +249,9 @@ acquire_accept_cred(krb5_context context,
         /* Make sure we have a keytab with keys in it. */
         code = krb5_kt_have_content(context, kt);
         if (code) {
+            krb5_kt_close(context, kt);
             *minor_status = code;
-            return GSS_S_FAILURE;
+            return GSS_S_CRED_UNAVAIL;
         }
     }
 
