1 files changed, 31 insertions, 4 deletions

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 42e9c942a9..22b940a1f3 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -85,6 +85,24 @@ struct gse_context {
 	bool authenticated;
 };
 
+#ifndef HAVE_GSS_OID_EQUAL
+
+static bool gss_oid_equal(const gss_OID o1, const gss_OID o2)
+{
+	if (o1 == o2) {
+		return true;
+	}
+	if ((o1 == NULL && o2 != NULL) || (o1 != NULL && o2 == NULL)) {
+		return false;
+	}
+	if (o1->length != o2->length) {
+		return false;
+	}
+	return memcmp(o1->elements, o2->elements, o1->length) == false;
+}
+
+#endif
+
 /* free non talloc dependent contexts */
 static int gse_context_destructor(void *ptr)
 {
@@ -125,10 +143,19 @@ static int gse_context_destructor(void *ptr)
 		gss_maj = gss_release_cred(&gss_min,
 					   &gse_ctx->delegated_creds);
 	}
-	if (gse_ctx->ret_mech) {
-		gss_maj = gss_release_oid(&gss_min,
-					  &gse_ctx->ret_mech);
-	}
+
+	/* MIT and Heimdal differ as to if you can call
+	 * gss_release_oid() on this OID, generated by
+	 * gss_{accept,init}_sec_context().  However, as long as the
+	 * oid is gss_mech_krb5 (which it always is at the moment),
+	 * then this is a moot point, as both declare this particular
+	 * OID static, and so no memory is lost.  This assert is in
+	 * place to ensure that the programmer who wishes to extend
+	 * this code to EAP or other GSS mechanisms determines an
+	 * implementation-dependent way of releasing any dynamically
+	 * allocated OID */
+	SMB_ASSERT(gss_oid_equal(&gse_ctx->gss_mech, GSS_C_NO_OID) || gss_oid_equal(&gse_ctx->gss_mech, gss_mech_krb5));
+
 	return 0;
 }