From 941dfd95a32088d8e1dfce9fe1839d14bd8413b5 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Fri, 5 Jul 2019 15:30:43 -0500
Subject: [PATCH] pkinit: fix leak in client

---
 lib/krb5/pkinit.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 3ac8a5ab7..f2a899afe 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -1091,6 +1091,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
     krb5_error_code ret;
     struct krb5_pk_cert *host = NULL;
     krb5_data content;
+    heim_octet_string unwrapped;
     heim_oid contentType = { 0, NULL };
     int flags = HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT;
 
@@ -1122,9 +1123,8 @@ pk_rd_pa_reply_enckey(krb5_context context,
     /* win2k uses ContentInfo */
     if (type == PKINIT_WIN2K) {
 	heim_oid type2;
-	heim_octet_string out;
 
-	ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+	ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
 	if (ret) {
 	    /* windows LH with interesting CMS packets */
 	    size_t ph = 1 + der_length_len(content.length);
@@ -1143,7 +1143,7 @@ pk_rd_pa_reply_enckey(krb5_context context,
 	    content.data = ptr;
 	    content.length += ph;
 
-	    ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &out, NULL);
+	    ret = hx509_cms_unwrap_ContentInfo(&content, &type2, &unwrapped, NULL);
 	    if (ret)
 		goto out;
 	}
@@ -1152,13 +1152,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
 	    krb5_set_error_message(context, ret,
 				   N_("PKINIT: Invalid content type", ""));
 	    der_free_oid(&type2);
-	    der_free_octet_string(&out);
+	    der_free_octet_string(&unwrapped);
 	    goto out;
 	}
 	der_free_oid(&type2);
 	krb5_data_free(&content);
-	ret = krb5_data_copy(&content, out.data, out.length);
-	der_free_octet_string(&out);
+	ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+	der_free_octet_string(&unwrapped);
 	if (ret) {
 	    krb5_set_error_message(context, ret,
 				   N_("malloc: out of memory", ""));
@@ -1171,10 +1171,13 @@ pk_rd_pa_reply_enckey(krb5_context context,
 			 content.length,
 			 ctx->id,
 			 &contentType,
-			 &content,
+			 &unwrapped,
 			 &host);
     if (ret)
 	goto out;
+    krb5_data_free(&content);
+    ret = krb5_data_copy(&content, unwrapped.data, unwrapped.length);
+    der_free_octet_string(&unwrapped);
 
     /* make sure that it is the kdc's certificate */
     ret = pk_verify_host(context, realm, hi, ctx, host);
@@ -1887,7 +1890,7 @@ _krb5_pk_load_id(krb5_context context,
 				 NULL, *chain_list);
 	if (ret) {
 	    pk_copy_error(context, context->hx509ctx, ret,
-			  "Failed to laod chain %s",
+			  "Failed to load chain %s",
 			  *chain_list);
 	    goto out;
 	}