krb5 commit: Fix leak on error in kadm5 randkey handling

Fri Oct 26 10:42:06 EDT 2018

https://github.com/krb5/krb5/commit/c4bdb3a1c890149a472ed98a94cf85316b143265
commit c4bdb3a1c890149a472ed98a94cf85316b143265
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Oct 25 11:56:58 2018 -0400

    Fix leak on error in kadm5 randkey handling
    
    An attempt to change the kadmin/history key with the -keepold flag
    would leak the KDB entry and keysalt tuple as it returned an error.
    Use the cleanup handler instead of returning directly.  Reported by
    Bean Zhang.
    
    ticket: 8759
    tags: pullup
    target_version: 1.16-next
    target_version: 1.15-next

 src/lib/kadm5/srv/svr_principal.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index a59a65e..21c53ec 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1564,8 +1564,10 @@ kadm5_randkey_principal_3(void *server_handle,
     if (krb5_principal_compare(handle->context, principal, hist_princ)) {
         /* If changing the history entry, the new entry must have exactly one
          * key. */
-        if (keepold)
-            return KADM5_PROTECT_PRINCIPAL;
+        if (keepold) {
+            ret = KADM5_PROTECT_PRINCIPAL;
+            goto done;
+        }
         new_n_ks_tuple = 1;
     }
 
