From 2baa77a96bc3586eecfa6965c7519d9b14fe2583 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 25 Jan 2013 12:23:38 +1100
Subject: [PATCH] 3479.   [bug]           Address potential memory leaks in
 gssapi support                         code. [RT #32405]

---
 CHANGES          |  3 +++
 lib/dns/spnego.c | 13 +++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9f03d22950..88509acae7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3479.	[bug]		Address potential memory leaks in gssapi support
+			code. [RT #32405]
+
 3478.	[port]		Fix a build failure in strict C99 environments
 			[RT #32475]
 
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
index 601511b557..f10b14ee96 100644
--- a/lib/dns/spnego.c
+++ b/lib/dns/spnego.c
@@ -630,8 +630,10 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
 				  sizeof(mechbuf),
 				  &init_token.mechTypes.val[i],
 				  &mech_len);
-		if (ret)
+		if (ret) {
+			free_NegTokenInit(&init_token);
 			return (GSS_S_DEFECTIVE_TOKEN);
+		}
 		if (mech_len == GSS_KRB5_MECH->length &&
 		    memcmp(GSS_KRB5_MECH->elements,
 			   mechbuf + sizeof(mechbuf) - mech_len,
@@ -650,8 +652,10 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
 		}
 	}
 
-	if (!found)
+	if (!found) {
+		free_NegTokenInit(&init_token);
 		return (send_reject(minor_status, output_token));
+	}
 
 	if (i == 0 && init_token.mechToken != NULL) {
 		ibuf.length = init_token.mechToken->length;
@@ -669,12 +673,14 @@ gss_accept_sec_context_spnego(OM_uint32 *minor_status,
 						      time_rec,
 						      delegated_cred_handle);
 		if (GSS_ERROR(major_status)) {
+			free_NegTokenInit(&init_token);
 			send_reject(&minor_status2, output_token);
 			return (major_status);
 		}
 		ot = &obuf;
 	}
 	ret = send_accept(&minor_status2, output_token, ot, pref);
+	free_NegTokenInit(&init_token);
 	if (ot != NULL && ot->length != 0U)
 		gss_release_buffer(&minor_status2, ot);
 
@@ -865,6 +871,8 @@ der_get_oid(const unsigned char *p, size_t len,
 	int n;
 	size_t oldlen = len;
 
+	data->components = NULL;
+	data->length = 0;
 	if (len < 1U)
 		return (ASN1_OVERRUN);
 
@@ -1696,6 +1704,7 @@ spnego_reply(OM_uint32 *minor_status,
 
 	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
 	if (ret) {
+		free_NegTokenResp(&resp);
 		*minor_status = ENOMEM;
 		return (GSS_S_FAILURE);
 	}