Crashes in de-ref of reply later when it tries to free memory, this is in the error path from non existant client principal.
diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 13:06:24.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 17:37:33.000000000 -0800
@@ -105,7 +105,7 @@
ticket_reply.enc_part.ciphertext.data = 0;
e_data.data = 0;
encrypting_key.contents = 0;
- reply.padata = 0;
+ memset(&reply, 0, sizeof(reply));
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;