krb5 commit [krb5-1.15]: Fix KDC encrypting key memory leak on some errors

[Greg Hudson]

https://github.com/krb5/krb5/commit/b294627169fba270dbd78cff5e1408a21051b266
commit b294627169fba270dbd78cff5e1408a21051b266
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Feb 27 11:56:58 2018 -0500

    Fix KDC encrypting key memory leak on some errors
    
    Commit 0ba5ccd7bb3ea15e44a87f84ca6feed8890f657d separated the
    allocation and destruction of encrypting_key, causing it to leak when
    any of the intervening calls jump to the cleanup label.  Currently the
    leak manifests on transited or authdata failures.  Move encrypting_key
    destruction to the cleanup label so that it can't leak.  Reported by
    anedvedicky at gmail.com.
    
    (cherry picked from commit 1bcf2742d504a22b7354251bbc1e19c3dacd95f3)
    
    ticket: 8645
    version_fixed: 1.15.3

 src/kdc/do_tgs_req.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 339259f..1000a10 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -144,6 +144,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
     memset(&reply_encpart, 0, sizeof(reply_encpart));
     memset(&ticket_reply, 0, sizeof(ticket_reply));
     memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply));
+    memset(&encrypting_key, 0, sizeof(encrypting_key));
     session_key.contents = NULL;
 
     retval = decode_krb5_tgs_req(pkt, &request);
@@ -721,8 +722,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
                                     &ticket_reply);
-    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
-        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (errcode) {
         status = "ENCRYPT_TICKET";
         goto cleanup;
@@ -825,6 +824,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
 cleanup:
     if (status == NULL)
         status = "UNKNOWN_REASON";
+    if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
+        krb5_free_keyblock_contents(kdc_context, &encrypting_key);
     if (reply_key)
         krb5_free_keyblock(kdc_context, reply_key);
     if (errcode)