Fix leaks in get_init_creds interface

In Debian Bug 598032, Bastian Blank points out that there are two
leaks in the get_init_creds interface:

* Free ctx->request->padata after sending the KDC request so it is not
overwritten the next time around the loop.

* If options is NULL passed into krb5_get_init_creds_init, then set up
a non-extended options structure so that krb5_get_init_creds_free will
free the options.

ticket: 6801
target_version: 1.9

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24452 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 9 insertions, 3 deletions

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index 836a517f9..ab5f8ab83 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -798,6 +798,7 @@ krb5_init_creds_init(krb5_context context,
     int tmp;
     char *str = NULL;
     krb5_gic_opt_ext *opte;
+    krb5_get_init_creds_opt local_opts;
 
     TRACE_INIT_CREDS(context, client);
 
@@ -822,9 +823,12 @@ krb5_init_creds_init(krb5_context context,
     ctx->start_time = start_time;
 
     if (options == NULL) {
-        code = krb5_get_init_creds_opt_alloc(context, &options);
-        if (code != 0)
-            goto cleanup;
+        /* We initialize a non-extended options because that way the shadowed
+        flag will be sent and they will be freed when the init_creds context is
+        freed. The options will be extended and copied off the stack into
+        storage by opt_to_opte.*/
+        krb5_get_init_creds_opt_init(&local_opts);
+        options = &local_opts;
     }
 
     code = krb5int_gic_opt_to_opte(context, options,
@@ -1175,6 +1179,8 @@ init_creds_step_request(krb5_context context,
         goto cleanup;
 
 cleanup:
+    krb5_free_pa_data( context, ctx->request->padata);
+    ctx->request->padata = NULL;
     return code;
 }