KDC memory leak in FAST error path

When kdc_fast_handle_error() produces a FAST-encoded error, it puts it
into err->e_data and it never gets freed (since in the non-FAST case,
err->e_data contains aliased pointers).  Fix this by storing the
encoded error in an output variable which is placed into the error's
e_data by the caller and then freed.

ticket: 6884
target_version: 1.9.1
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24722 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 7 insertions, 3 deletions

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 0cc21cec49..32ae121928 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -688,7 +688,7 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
 {
     krb5_error errpkt;
     krb5_error_code retval;
-    krb5_data *scratch;
+    krb5_data *scratch, *fast_edata = NULL;
     krb5_pa_data **pa = NULL;
     krb5_typed_data **td = NULL;
     size_t size;
@@ -747,9 +747,12 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
         }
     }
     retval = kdc_fast_handle_error(kdc_context, rstate,
-                                   request, pa, &errpkt);
-    if (retval == 0)
+                                   request, pa, &errpkt, &fast_edata);
+    if (retval == 0) {
+        if (fast_edata != NULL)
+            errpkt.e_data = *fast_edata;
         retval = krb5_mk_error(kdc_context, &errpkt, scratch);
+    }
 
     free(errpkt.text.data);
     if (retval)
@@ -757,6 +760,7 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
     else
         *response = scratch;
     krb5_free_pa_data(kdc_context, pa);
+    krb5_free_data(kdc_context, fast_edata);
 
     return retval;
 }