From 07877aa74276d6b81fecb14329da50949b0f1dc8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 6 Feb 2026 17:50:55 +0100
Subject: [PATCH] Release gnamebuf also on the error path

In dst_gssapi_acceptctx(), the gnamebuf could leak a little bit of
memory if dns_name_fromtext() would theoretically fail.  This would
require a Kerberos principal with invalid DNS name.

(cherry picked from commit 3ad87f1ad612fb6adce175760483735066300266)
---
 lib/dns/gssapictx.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index dc31020c9e..3cd0fbba19 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -777,15 +777,6 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
 
 		CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0,
 					NULL));
-
-		if (gnamebuf.length != 0U) {
-			gret = gss_release_buffer(&minor, &gnamebuf);
-			if (gret != GSS_S_COMPLETE) {
-				gss_log(3, "failed gss_release_buffer: %s",
-					gss_error_tostring(gret, minor, buf,
-							   sizeof(buf)));
-			}
-		}
 	} else {
 		result = DNS_R_CONTINUE;
 	}
@@ -793,6 +784,15 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
 	*ctxout = context;
 
 cleanup:
+	if (gnamebuf.length != 0U) {
+		gret = gss_release_buffer(&minor, &gnamebuf);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_release_buffer: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+		}
+	}
+
 	if (gname != NULL) {
 		gret = gss_release_name(&minor, &gname);
 		if (gret != GSS_S_COMPLETE) {