From 5838fcaa61659b3802539597be3337aaff2f2ea3 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 16 Jan 2022 19:13:26 -0500
Subject: [PATCH] lib/krb5: build_logon_name use common 'out' do not leak 's2'

CHECK(ret, func(), label) jumps to the label if the function
returns non-zero.  As a result it bypasses the free(s2) call.
Use the common out label to free(s2).

Change-Id: I9a79df669e6407a82991f4a849fc16a0afaae561
---
 lib/krb5/pac.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index 592d7edab..56d9a6c59 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -1054,7 +1054,7 @@ build_logon_name(krb5_context context,
     krb5_error_code ret;
     krb5_storage *sp;
     uint64_t t;
-    char *s, *s2;
+    char *s, *s2 = NULL;
     size_t s2_len;
 
     t = unix2nttime(authtime);
@@ -1130,18 +1130,14 @@ build_logon_name(krb5_context context,
     CHECK(ret, krb5_store_uint16(sp, s2_len), out);
 
     ret = krb5_storage_write(sp, s2, s2_len);
-    free(s2);
     if (ret != (int)s2_len) {
 	ret = krb5_enomem(context);
 	goto out;
     }
     ret = krb5_storage_to_data(sp, logon);
-    if (ret)
-	goto out;
-    krb5_storage_free(sp);
 
-    return 0;
-out:
+ out:
+    free(s2);
     krb5_storage_free(sp);
     return ret;
 }