From 5cf652bf3529a879e74cb6506b5cd10b9146cf82 Mon Sep 17 00:00:00 2001
From: Ivan Korytov <korytovip@basealt.ru>
Date: Fri, 21 Feb 2025 14:41:17 +0300
Subject: [PATCH] kdc: Fix memory leak of encrypted preauthentication data

Deallocate r->ek.encrypted_pa_data after response was sent to client.

Signed-off-by: Ivan Korytov <korytovip@basealt.ru>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 kdc/krb5tgs.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index 9b8cb29d9..2587a76ca 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2195,6 +2195,11 @@ out:
     free(csec);
     free(cusec);
 
+    if (r->ek.encrypted_pa_data) {
+	free_METHOD_DATA(r->ek.encrypted_pa_data);
+	free(r->ek.encrypted_pa_data);
+    }
+
     free_TGS_REP(&r->rep);
     free_TransitedEncoding(&r->et.transited);
     free(r->et.starttime);