krb5 commit [krb5-1.16]: Fix KDC encrypting key memory leak on some errors

Wed May 2 01:25:35 EDT 2018

https://github.com/krb5/krb5/commit/9377ef950a487757e0ecb15e53537218950747c4
commit 9377ef950a487757e0ecb15e53537218950747c4
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Feb 27 11:56:58 2018 -0500

    Fix KDC encrypting key memory leak on some errors
    
    Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
    allocation and destruction of encrypting_key, causing it to leak when
    any of the intervening calls jump to the cleanup label.  Currently the
    leak manifests on transited or authdata failures.  Move encrypting_key
    destruction to the cleanup label so that it can't leak.  Reported by
    anedvedicky at gmail.com.
    
    (cherry picked from commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3)
    
    ticket: 8645
    version_fixed: 1.16.1

 src/kdc/do_tgs_req.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index cc5a692..fca01db 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     memset(&reply_encpart, 0, sizeof(reply_encpart));
     memset(&ticket_reply, 0, sizeof(ticket_reply));
     memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
+    memset(&encrypting_key, 0, sizeof(encrypting_key));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -719,8 +720,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
                                     &ticket_reply);
-    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
-        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (errcode)
         goto cleanup;
     ticket_reply.enc_part.kvno = ticket_kvno;
@@ -810,6 +809,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 cleanup:
     if (status == NULL)
         status = "UNKNOWN_REASON";
+    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)
