From 0bff33c790ac37785b1a70448d8bf1bfad954268 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Fri, 13 Feb 2026 11:34:32 +0100
Subject: [PATCH] gss-kex: Fix memory leaks in ssh_gssapi_check_client_config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Upon unsuccessful alloc of the gssapi context, the function
would return early without freeing the supported OID set.

With opts->gss_client_identity enabled, the function would
not free the client_id allocated by gss_import_name.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/gssapi.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/gssapi.c b/src/gssapi.c
index dc9ed2b5..ab66fe44 100644
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -731,7 +731,8 @@ int ssh_gssapi_check_client_config(ssh_session session)
         gssapi = calloc(1, sizeof(struct ssh_gssapi_struct));
         if (gssapi == NULL) {
             ssh_set_error_oom(session);
-            return SSH_ERROR;
+            ret = SSH_ERROR;
+            break;
         }
         gssapi->server_creds = GSS_C_NO_CREDENTIAL;
         gssapi->client_creds = GSS_C_NO_CREDENTIAL;
@@ -820,6 +821,11 @@ int ssh_gssapi_check_client_config(ssh_session session)
         gss_release_buffer(&min_stat, &output_token);
         gss_delete_sec_context(&min_stat, &gssapi->ctx, GSS_C_NO_BUFFER);
 
+        if (client_id != GSS_C_NO_NAME) {
+            gss_release_name(&min_stat, &client_id);
+            client_id = GSS_C_NO_NAME;
+        }
+
         SAFE_FREE(gssapi->canonic_user);
         SAFE_FREE(gssapi);