krb5 commit: Fix gic_keytab crash on memory exhaustion

[ghudson at mit.edu]

https://github.com/krb5/krb5/commit/6bc90214830cb5239aa397c20763902f10f11786
commit 6bc90214830cb5239aa397c20763902f10f11786
Author: ChenChen Zhou <357726167 at qq.com>
Date:   Sun Nov 27 22:57:14 2022 +0800

    Fix gic_keytab crash on memory exhaustion
    
    get_as_key_keytab() does not check the result of krb5_copy_keyblock(),
    and dereferences a null pointer if it fails.  Remove the call and
    steal the memory from kt_ent instead.
    
    [ghudson at mit.edu: rewrote commit message; fixed comments]
    
    ticket: 9080 (new)

 src/lib/krb5/krb/gic_keytab.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index b8b7c1506..f9baabbf9 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -45,7 +45,6 @@ get_as_key_keytab(krb5_context context,
     krb5_keytab keytab = (krb5_keytab) gak_data;
     krb5_error_code ret;
     krb5_keytab_entry kt_ent;
-    krb5_keyblock *kt_key;
 
     /* We don't need the password from the responder to create the AS key. */
     if (as_key == NULL)
@@ -71,16 +70,13 @@ get_as_key_keytab(krb5_context context,
                                  etype, &kt_ent)))
         return(ret);
 
-    ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key);
-
-    /* again, krb5's memory management is lame... */
-
-    *as_key = *kt_key;
-    free(kt_key);
+    /* Steal the keyblock from kt_ent for the caller. */
+    *as_key = kt_ent.key;
+    memset(&kt_ent.key, 0, sizeof(kt_ent.key));
 
     (void) krb5_kt_free_entry(context, &kt_ent);
 
-    return(ret);
+    return 0;
 }
 
 /* Return the list of etypes available for client in keytab. */