472509fd46
We have a Heimdal special where when the acceptor sends back an error token for clock skew or ticket-not-yet-valid errors then the acceptor application will get GSS_S_CONTINUE_NEEDED from gss_accept_sec_context() so that the initiator may retry with the same context. But we were retaining the auth_context, which means that when the initiator does send a new token, the acceptor leaks memory because krb5_verify_ap_req2() doesn't clean up the auth_context on reuse. The end result is that we leak a lot in those cases.
25 KiB
25 KiB