Avoid leaks on gss_accept_sec_context errors

Failure handling during the postprocessing of
mech->gss_accept_sec_context was inconsistent.  In one case we delete
the output token but leave the partly-constructed context present in
*context_handle (violating RFC 2744 if this is the first call); in
other cases we leave the output token in the caller's buffer but do
destroy the partly-constructed context.  Make this more consistent by
always destroying the output token and partly-constructed context.
(RFC 2744 prefers, but does not require, leaving the
partly-constructed context present on error if it was present on
entry.  At the moment we are ignoring that preference.)

[ghudson@mit.edu: Rewrote commit message with more details]

1 files changed, 5 insertions, 4 deletions

diff --git a/src/lib/gssapi/mechglue/g_accept_sec_context.c b/src/lib/gssapi/mechglue/g_accept_sec_context.c
index f6afc4517..85e41d310 100644
--- a/src/lib/gssapi/mechglue/g_accept_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_accept_sec_context.c
@@ -236,12 +236,10 @@ gss_cred_id_t *		d_cred;
 			    &temp_minor_status, mech,
 			    internal_name, &tmp_src_name);
 		    if (temp_status != GSS_S_COMPLETE) {
+			status = temp_status;
 			*minor_status = temp_minor_status;
 			map_error(minor_status, mech);
-			if (output_token->length)
-			    (void) gss_release_buffer(&temp_minor_status,
-						      output_token);
-			return (temp_status);
+			goto error_out;
 		    }
 		    *src_name = tmp_src_name;
 		} else
@@ -329,6 +327,9 @@ error_out:
 	(void) gss_release_buffer(&temp_minor_status,
 				  (gss_buffer_t)tmp_src_name);
 
+    if (output_token->length)
+	(void) gss_release_buffer(&temp_minor_status, output_token);
+
     return (status);
 }
 #endif /* LEAN_CLIENT */