pull up r19021 from trunk

 r19021@cathode-dark-space:  epeisach | 2006-12-30 01:05:12 -0500
 subject: memory leak if defective header present in gss_krb5int_unseal_token_v3
 ticket: new
 tags: pullup

 If after unsealing the message, the TOK_ID is not 05 04, free memory
 before returning a defective token error.

ticket: 5238
version_fixed: 1.6.1

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@19073 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
index c5628e2c2883fdbe5a71821ed8c47573b5cb6f7a..d83ac8593c8473d07dae9ca605696ee263cce074 100644 (file)
--- a/src/lib/gssapi/krb5/k5sealv3.c
+++ b/src/lib/gssapi/krb5/k5sealv3.c
@@ -412,8 +412,10 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr,
            if (load_16_be(althdr) != 0x0504
                || althdr[2] != ptr[2]
                || althdr[3] != ptr[3]
-               || memcmp(althdr+8, ptr+8, 8))
+               || memcmp(althdr+8, ptr+8, 8)) {
+               free(plain.data);
                goto defective;
+           }
            message_buffer->value = plain.data;
            message_buffer->length = plain.length - ec - 16;
        } else {