From d35279033178ccaa9b3db5d6253dff6a56118f31 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
Date: Wed, 2 Nov 2016 09:23:47 +0100
Subject: [PATCH] [mod_authn_gssapi] fix memory leak

---
 NEWS                   |  1 +
 src/mod_authn_gssapi.c | 22 ++++++++++++----------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index e11da879..cb869d70 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ NEWS
 
 - 1.4.44
   * [mod_scgi] fix segfault (fixes #2762)
+  * [mod_authn_gssapi] fix memory leak
 
 - 1.4.43 - 2016-10-31
   * [autobuild] remove mod_authn_gssapi dep on resolv
diff --git a/src/mod_authn_gssapi.c b/src/mod_authn_gssapi.c
index a2afffc0..bebc515e 100644
--- a/src/mod_authn_gssapi.c
+++ b/src/mod_authn_gssapi.c
@@ -334,7 +334,6 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
 
     /*(future: might modify http_auth_scheme_t to store (void *)p_d
      * and pass to checkfn, similar to http_auth_backend_t) */
-    buffer *ktname;
     buffer *sprinc;
     int ret = 0;
 
@@ -347,15 +346,18 @@ static handler_t mod_authn_gssapi_check_spnego(server *srv, connection *con, plu
 
     mod_authn_gssapi_patch_connection(srv, con, p);
 
-    /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
-     *     be used, instead of putenv() of KRB5_KTNAME=...?  See mod_authn_gssapi_basic() */
-    /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
-    /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
-    ktname = buffer_init_string("KRB5_KTNAME=");
-    buffer_append_string_buffer(ktname, p->conf.auth_gssapi_keytab);
-    putenv(ktname->ptr);
-    /* ktname becomes part of the environment, do not free */
-    /* buffer_free(ktname); */
+    {
+        /* ??? Should code = krb5_kt_resolve(kcontext, p->conf.auth_gssapi_keytab->ptr, &keytab);
+         *     be used, instead of putenv() of KRB5_KTNAME=...?  See mod_authn_gssapi_basic() */
+        /* ??? Should KRB5_KTNAME go into con->environment instead ??? */
+        /* ??? Should KRB5_KTNAME be added to mod_authn_gssapi_basic(), too? */
+        buffer ktname;
+        memset(&ktname, 0, sizeof(ktname));
+        buffer_copy_string(&ktname, "KRB5_KTNAME=");
+        buffer_append_string_buffer(&ktname, p->conf.auth_gssapi_keytab);
+        putenv(ktname.ptr);
+        /* ktname.ptr becomes part of the environment, do not free */
+    }
 
     sprinc = buffer_init_buffer(p->conf.auth_gssapi_principal);
     if (strchr(sprinc->ptr, '/') == NULL) {