From c70540480bc357f844f4785a784ba3aac0d6f922 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 16 Apr 2020 07:19:35 +0000
Subject: [PATCH] gss: free user keytab before resolving system keytab

get_client_keytab() leaked the user keytab if it resolved but we could not find
the client principal. Free it before trying the system keytab.
---
 lib/gssapi/krb5/acquire_cred.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/gssapi/krb5/acquire_cred.c b/lib/gssapi/krb5/acquire_cred.c
index 4ccad45dd..ba5d48fad 100644
--- a/lib/gssapi/krb5/acquire_cred.c
+++ b/lib/gssapi/krb5/acquire_cred.c
@@ -157,8 +157,14 @@ get_client_keytab(krb5_context context,
 	    krb5_kt_free_entry(context, &entry);
     }
 
-    if (ret)
+    if (ret) {
+	if (*keytab) {
+	    krb5_kt_close(context, *keytab);
+	    *keytab = NULL;
+	}
+
 	ret = get_system_keytab(context, GSS_C_NO_CRED_STORE, keytab);
+    }
 
     return ret;
 }