[31516] in CVS-changelog-for-Kerberos-V5
krb5 commit: Fix memory leak in gss_acquire_cred_from()
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Fri Apr 10 19:52:28 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260410235222.F239E104B09@krbdev.mit.edu>
Date: Fri, 10 Apr 2026 19:52:22 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/e7b4a2ae07a07cc337c6a62c502f6167c52dd16b
commit e7b4a2ae07a07cc337c6a62c502f6167c52dd16b
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Apr 3 19:44:41 2026 -0400
Fix memory leak in gss_acquire_cred_from()
If gss_acquire_cred_from() is used with the krb5 mech and the verify
option (added in commit adbf73c507f383380c55d2ba9fa1ad6f30545bec), and
verification fails, make sure to free the credential we obtained
before returning. Reported by Evgeny Shemyakin.
ticket: 9204
src/lib/gssapi/krb5/acquire_cred.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index 0e12c2233..d35672fbb 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -613,7 +613,7 @@ get_initial_cred(krb5_context context, const struct verify_params *verify,
{
krb5_error_code code;
krb5_get_init_creds_opt *opt = NULL;
- krb5_creds creds;
+ krb5_creds creds = { 0 };
code = krb5_get_init_creds_opt_alloc(context, &opt);
if (code)
@@ -648,8 +648,8 @@ get_initial_cred(krb5_context context, const struct verify_params *verify,
cred->name->princ = creds.client;
creds.client = NULL;
- krb5_free_cred_contents(context, &creds);
cleanup:
+ krb5_free_cred_contents(context, &creds);
krb5_get_init_creds_opt_free(context, opt);
return code;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
