kdc: _kdc_do_kx509 fix use after free error

In _kdc_do_kx509() do not free 'principal' until after its last
use.  Move declaration to top of function and free it during the
common exit processing.

Introduced by 10a5976e45.

Change-Id: Iaf000eb090b0fa523f04a4864c6b17058d922995

kdc/kx509.c

@@ -338,6 +338,7 @@ _kdc_do_kx509(krb5_context context,
     krb5_auth_context ac = NULL;
     krb5_keytab id = NULL;
     krb5_principal sprincipal = NULL, cprincipal = NULL;
+    krb5_principal principal = NULL;
     char *cname = NULL;
     Kx509Response rep;
     size_t size;
@@ -398,15 +399,11 @@ _kdc_do_kx509(krb5_context context,
     if (ret)
 	goto out;
 
-    {
-	krb5_principal principal = NULL;
-
     ret = krb5_ticket_get_server(context, ticket, &principal);
     if (ret)
 	goto out;
 
     ret = krb5_principal_compare(context, sprincipal, principal);
-	krb5_free_principal(context, principal);
     if (ret != TRUE) {
 	char *expected, *used;
 
@@ -428,7 +425,6 @@ _kdc_do_kx509(krb5_context context,
 	krb5_xfree(used);
 	goto out;
     }
-    }
 
     ret = krb5_auth_con_getkey(context, ac, &key);
     if (ret == 0 && key == NULL)
@@ -519,6 +515,8 @@ out:
 	krb5_free_principal(context, sprincipal);
     if (cprincipal)
 	krb5_free_principal(context, cprincipal);
+    if (principal)
+	krb5_free_principal(context, principal);
     if (key)
 	krb5_free_keyblock (context, key);
     if (cname)