From 7dce1b611138adb7f73add88f5ca75264545b4e8 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 13 Sep 2021 19:51:58 +1000
Subject: [PATCH] kdc: don't leak sec_context_token on checksum fail

When validating the KDC-REQ-BODY checksum introduced in 0ed4d90a, don't leak
the sec_context_token retrieved from the FX-COOKIE if checksum verifications
fails.
---
 kdc/gss_preauth.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index be9ef9ce0..164167a7f 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -221,8 +221,10 @@ pa_gss_get_context_state(astgs_request_t r,
         return ret;
 
     ret = pa_gss_verify_req_body_checksum(r, &gcp->req_body_checksum);
-    if (ret)
+    if (ret) {
+        gss_release_buffer(&minor, &sec_context_token);
         return ret;
+    }
 
     major = gss_import_sec_context(&minor, &sec_context_token,
                                    &gcp->context_handle);