Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: memleak in decrypt_2ndtkt()
X-RT-Original-Encoding: iso-8859-1
Content-Length: 792

In decrypt_2ndtkt() there is:

    retval = kdc_get_server_key(kdc_context, stkt,
                                flags,
                                TRUE, /* match_enctype */
                                &server,  <<<< alloc'ed memory
                                &key,
                                &kvno);
    if (retval != 0) {
        *status = "2ND_TKT_SERVER";
        goto cleanup;
    }
    retval = krb5_decrypt_tkt_part(kdc_context, key,
                                   req->second_ticket[0]);
    krb5_free_keyblock(kdc_context, key);
    if (retval != 0) {
        *status = "2ND_TKT_DECRYPT";
        goto cleanup;
    }
    *server_out = server;
cleanup:
    return retval;
}

If kdc_get_server_key() succeeds but krb5_decrypt_tkt_part() fails,
server is leaked.