Memory leak in version 1.9.1. See comments prefixed with “GJM:”
#include "../../krb5/krb/auth_con.h"
static krb5_error_code KRB5_CALLCONV
make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                   void *cksum_data, krb5_data **out)
    krb5_error_code code;
    krb5_int32 con_flags;
    unsigned char *ptr;
    struct gss_checksum_data *data = cksum_data;
         * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
         * the session key, but krb5_fwd_tgt_creds will use the send subkey if
         * it's set in the auth context.  Suppress the send subkey
         * temporarily.
GJM: This refcount on the key is one. This line increases it to two . 
        krb5_auth_con_getsendsubkey_k(context, auth_context, &send_subkey);
GJM: This decrements the refcount back to one.
        krb5_auth_con_setsendsubkey_k(context, auth_context, NULL);
        code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                  data->cred->name->princ, data->ctx->there->princ,
                                  data->cred->ccache, 1,
        /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
        krb5_auth_con_setflags(context, auth_context, con_flags);
GJM: This increases the ref count back to two.
        krb5_auth_con_setsendsubkey_k(context, auth_context, send_subkey);
GJM: This is the line that need to be added to fix the leak. This line to puts the refcount back to one since send_subkey is on the stack and goes out of scope the only reference left is in the context so the refcount should be one not two
         krb5_k_free_key(context, send_subkey);           <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ADD THIS LINE  TO FIX THE LEAK