pull up r24724 from trunk

 ------------------------------------------------------------------------
 r24724 | ghudson | 2011-03-17 18:10:44 -0400 (Thu, 17 Mar 2011) | 9 lines

 ticket: 6885
 subject: KDC memory leak of reply padata for FAST replies
 target_version: 1.9.1
 tags: pullup

 kdc_fast_response_handle_padata() replaces rep->padata, causing the
 old value to be leaked.  As a minimal fix, free the old value of
 rep->padata before replacing it.

ticket: 6885
version_fixed: 1.9.2
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24950 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index c460eb8f8738a08e3e193976d8b639ae51448b22..7124c7c9c1c328b0636d59e73f81f31905643f26 100644 (file)
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -339,6 +339,7 @@ kdc_fast_response_handle_padata(struct kdc_request_state *state,
         pa[0].length = encrypted_reply->length;
         pa[0].contents = (unsigned char *)  encrypted_reply->data;
         pa_array[0] = &pa[0];
+        krb5_free_pa_data(kdc_context, rep->padata);
         rep->padata = pa_array;
         pa_array = NULL;
         free(encrypted_reply);