From ef7242d8e4b355b1565ca20761c7e95f48185fdf Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 10 Mar 2011 00:53:44 +1100
Subject: [PATCH] don't leak Kerberos context if reauth not supported

---
 mech_eap/init_sec_context.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index cef79d1..b9693df 100644
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -574,9 +574,12 @@ eapGssSmInitIdentity(OM_uint32 *minor,
     struct eap_config eapConfig;
 
     if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE) {
+        OM_uint32 tmpMinor;
+
         /* server didn't support reauthentication, sent EAP request */
-        GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
+        gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
+        GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
         *smFlags |= SM_FLAG_RESTART;
     } else {
         *smFlags |= SM_FLAG_FORCE_SEND_TOKEN;
-- 
2.1.4