From ed2579e8af364953f10eedb407873ee6a23cbcaf Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Sat, 8 Jan 2022 14:06:13 +1100
Subject: [PATCH] kdc: don't leak etype/error message in pa_enc_ts_validate()

Recent auditing changes (b1dcc1a4) introduced a leak into pa_enc_ts_validate()
where the encryption type name and error message could be leaked.
---
 kdc/kerberos5.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 6733f8bd8..1730a5fe8 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -867,6 +867,8 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
 	_kdc_r_log(r, 2, "Failed to decrypt PA-DATA -- %s "
 		   "(enctype %s) error %s",
 		   r->cname, str ? str : "unknown enctype", msg);
+	krb5_xfree(str);
+	krb5_free_error_message(context, msg);
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
 				pa_key->key.keytype);
 	_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
@@ -930,6 +932,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
 	str = NULL;
     _kdc_r_log(r, 4, "ENC-TS Pre-authentication succeeded -- %s using %s",
 	       r->cname, str ? str : "unknown enctype");
+    krb5_xfree(str);
     _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_PA_ETYPE,
 			    pa_key->key.keytype);
     _kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,