In decrypt_2ndtkt() there is:

    retval = kdc_get_server_key(kdc_context, stkt,
                                flags,
                                TRUE, /* match_enctype */
                                &server,  <<<< alloc'ed memory
                                &key,
                                &kvno);
    if (retval != 0) {
        *status = "2ND_TKT_SERVER";
        goto cleanup;
    }
    retval = krb5_decrypt_tkt_part(kdc_context, key,
                                   req->second_ticket[0]);
    krb5_free_keyblock(kdc_context, key);
    if (retval != 0) {
        *status = "2ND_TKT_DECRYPT";
        goto cleanup;
    }
    *server_out = server;
cleanup:
    return retval;
}

If kdc_get_server_key() succeeds but krb5_decrypt_tkt_part() fails,
server is leaked.