From fcba7a9fd1709ebe954b84220f57e651a3a34f77 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 18 Jan 2022 00:32:23 -0600
Subject: [PATCH] kdc: Check errors from krb5_auth_con_getauthenticator()

---
 kdc/krb5tgs.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index ee2f68f3b..23759f688 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -810,7 +810,12 @@ tgs_check_authenticator(krb5_context context,
     krb5_error_code ret;
     krb5_crypto crypto;
 
-    krb5_auth_con_getauthenticator(context, ac, &auth);
+    ret = krb5_auth_con_getauthenticator(context, ac, &auth);
+    if (ret) {
+	kdc_log(context, config, 2,
+                "Out of memory checking PA-TGS Authenticator");
+        goto out;
+    }
     if(auth->cksum == NULL){
 	kdc_log(context, config, 4, "No authenticator in request");
 	ret = KRB5KRB_AP_ERR_INAPP_CKSUM;