From 53056796334be7810a427f491679bceba729580a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>
Date: Wed, 18 Mar 2026 01:00:39 +0100
Subject: [PATCH] Fix GSS context leak when principal name is empty
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When gss_accept_sec_context() completes successfully but
gss_display_name() returns an empty principal, the GSS context
was leaked — it was neither stored in a key nor deleted.

Delete the context and reject with BADKEY in this case.  This
should only occur due to a GSS library bug, since a completed
context should always have a valid principal.
---
 lib/dns/tkey.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 42deb423a2..03615f07e5 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -200,6 +200,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 		if (tsigkey != NULL) {
 			dns_tsigkey_detach(&tsigkey);
 		}
+		dst_gssapi_deletectx(tctx->mctx, &gss_ctx);
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): "
+			 "completed context with empty principal");
+		return ISC_R_SUCCESS;
 	} else if (tsigkey == NULL) {
 #if HAVE_GSSAPI
 		OM_uint32 gret, minor, lifetime;