From 2550a37b4fe67cef2049587667bfe4a84911ba3e Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Dec 18 2013 19:33:23 +0000
Subject: Pull in a fix for a mem leak from master (RT#7805)


- pull in fix from master to avoid a memory leak in a couple of error
  cases which could occur while obtaining acceptor credentials (RT#7805, part
  of #1043962)

---

diff --git a/krb5-master-keytab_close.patch b/krb5-master-keytab_close.patch
new file mode 100644
index 0000000..d020ae6
--- /dev/null
+++ b/krb5-master-keytab_close.patch
@@ -0,0 +1,39 @@
+commit decccbcb5075f8fbc28a535a9b337afc84a15dee
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Mon Dec 16 15:37:56 2013 -0500
+
+    Fix GSS krb5 acceptor acquire_cred error handling
+    
+    When acquiring acceptor creds with a specified name, if we fail to
+    open a replay cache, we leak the keytab handle.  If there is no
+    specified name and we discover that there is no content in the keytab,
+    we leak the keytab handle and return the wrong major code.  Memory
+    leak reported by Andrea Campi.
+    
+    ticket: 7805
+    target_version: 1.12.1
+    tags: pullup
+
+diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
+index 0efcad4..9547207 100644
+--- a/src/lib/gssapi/krb5/acquire_cred.c
++++ b/src/lib/gssapi/krb5/acquire_cred.c
+@@ -225,6 +225,7 @@ acquire_accept_cred(krb5_context context,
+         code = krb5_get_server_rcache(context, &cred->name->princ->data[0],
+                                       &cred->rcache);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+             return GSS_S_FAILURE;
+         }
+@@ -232,8 +233,9 @@ acquire_accept_cred(krb5_context context,
+         /* Make sure we have a keytab with keys in it. */
+         code = krb5_kt_have_content(context, kt);
+         if (code) {
++            krb5_kt_close(context, kt);
+             *minor_status = code;
+-            return GSS_S_FAILURE;
++            return GSS_S_CRED_UNAVAIL;
+         }
+     }
+ 
diff --git a/krb5.spec b/krb5.spec
index 2d8e00c..dbf89a7 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -93,6 +93,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
 Patch135: krb5-master-no-malloc0.patch
 Patch136: krb5-master-ignore-empty-unnecessary-final-token.patch
 Patch137: krb5-master-gss_oid_leak.patch
+Patch138: krb5-master-keytab_close.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -306,6 +307,7 @@ ln -s NOTICE LICENSE
 %patch135 -p1 -b .no-malloc0
 %patch136 -p1 -b .ignore-empty-unnecessary-final-token
 %patch137 -p1 -b .gss_oid_leak
+%patch138 -p1 -b .keytab_close
 
 # Apply when the hard-wired or configured default location is
 # DIR:/run/user/%%{uid}/krb5cc.
@@ -968,6 +970,9 @@ exit 0
   we've already finished authenticating (RT#7797, part of #1043962)
 - pull in fix from master to avoid a memory leak when a mechanism's
   init_sec_context function fails (RT#7803, part of #1043962)
+- pull in fix from master to avoid a memory leak in a couple of error
+  cases which could occur while obtaining acceptor credentials (RT#7805, part
+  of #1043962)
 
 * Wed Dec 11 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.12-1
 - update to 1.12 final