From c844a1c62b187dc527e4b391e791ca62e6444ba5 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sun, 16 Jan 2022 17:45:21 -0500
Subject: [PATCH] lib/krb5: load_priv_key do not leak error string

hx509_get_error_string() returns an allocated string that must
be freed with hx509_free_error_string().

Change-Id: I58d160ce1b09c48b587e8adce74277f6da469ceb
---
 lib/krb5/kx509.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/krb5/kx509.c b/lib/krb5/kx509.c
index 2a689553e..64db3a215 100644
--- a/lib/krb5/kx509.c
+++ b/lib/krb5/kx509.c
@@ -376,10 +376,13 @@ load_priv_key(krb5_context context,
         ret = ENOENT;
     if (ret == 0)
         kx509_ctx->priv_key = _hx509_private_key_ref(keys[0]);
-    if (ret)
+    if (ret) {
+	const char *emsg = hx509_get_error_string(context->hx509ctx, ret);
+
         krb5_set_error_message(context, ret, "Could not load private key "
-                               "from %s for kx509: %s", fn,
-                               hx509_get_error_string(context->hx509ctx, ret));
+                               "from %s for kx509: %s", fn, emsg);
+	hx509_free_error_string(context->hx509ctx, emsg);
+    }
     hx509_certs_free(&certs);
     return ret;
 }