krb5 commit: Zap copy of secret in RC4 string-to-key

Mon Jul 16 10:10:19 EDT 2018

https://github.com/krb5/krb5/commit/5d19f90f3216309c311507acbca2c8d0a286d632
commit 5d19f90f3216309c311507acbca2c8d0a286d632
Author: Dylan Gray <35609490+Dylan-MSFT at users.noreply.github.com>
Date:   Fri Jul 13 15:09:01 2018 -0700

    Zap copy of secret in RC4 string-to-key
    
    Commit b8814745049b5f401e3ae39a81dc1e14598ae48c (ticket 8576) added a
    zero-terminated copy of the input string in
    krb5int_arcfour_string_to_key().  This copy should be zeroed when
    freed as the input string typically contains a password.
    
    [ghudson at mit.edu: rewrote commit message]
    
    ticket: 8713 (new)

 src/lib/crypto/krb/s2k_rc4.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/lib/crypto/krb/s2k_rc4.c b/src/lib/crypto/krb/s2k_rc4.c
index 081a912..f7e699d 100644
--- a/src/lib/crypto/krb/s2k_rc4.c
+++ b/src/lib/crypto/krb/s2k_rc4.c
@@ -25,7 +25,7 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
     if (utf8 == NULL)
         return err;
     err = k5_utf8_to_utf16le(utf8, &copystr, &copystrlen);
-    free(utf8);
+    zapfree(utf8, string->length);
     if (err)
         return err;
 
