kdc: don't leak sec_context_token on checksum fail

When validating the KDC-REQ-BODY checksum introduced in 0ed4d90a, don't leak the sec_context_token retrieved from the FX-COOKIE if checksum verifications fails.
2021-09-13 19:51:58 +10:00
parent 3ac48a8dfd
commit 7dce1b6111
1 changed files with 3 additions and 1 deletions
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -221,8 +221,10 @@ pa_gss_get_context_state(astgs_request_t r,
        return ret;

    ret = pa_gss_verify_req_body_checksum(r, &gcp->req_body_checksum);
-    if (ret)
+    if (ret) {
+        gss_release_buffer(&minor, &sec_context_token);
        return ret;
+    }

    major = gss_import_sec_context(&minor, &sec_context_token,
                                   &gcp->context_handle);