Memory leak when using Kerberos authentication on macOS #139
Description
Every time a new krb5 token is acquired during a connection, 32 bytes are leaked.
The leak happens in the internal function _krb5_build_authenticator that is called by gss_init_sec_context.
❯ leaks $(pgrep -n cntlm)
Process 17072 is not debuggable. Due to security restrictions, leaks can only show or save contents of readonly memory of restricted processes.
Process: cntlm [17072]
Path: /Users/USER/*/cntlm
Load Address: 0x1026e0000
Identifier: cntlm
Version: 0
Code Type: ARM64
Platform: macOS
Parent Process: zsh [15436]
Target Type: live task
Date/Time: 2025-10-17 14:55:27.939 +0200
Launch Time: 2025-10-17 14:53:04.651 +0200
OS Version: macOS 15.7.1 (24G231)
Report Version: 7
Analysis Tool: /usr/bin/leaks
Physical footprint: 9025K
Physical footprint (peak): 9041K
Idle exit: untracked
----
leaks Report Version: 4.0, multi-line stacks
Process 17072: 4044 nodes malloced for 444 KB
Process 17072: 1 leak for 32 total leaked bytes.
STACK OF 1 INSTANCE OF 'ROOT LEAK: <malloc in _krb5_build_authenticator>':
12 libsystem_pthread.dylib 0x186342b80 thread_start + 8
11 libsystem_pthread.dylib 0x186347bc8 _pthread_start + 136
10 cntlm 0x1026e0edc proxy_thread + 316
9 cntlm 0x1026ecb6c forward_request + 1456
8 cntlm 0x1026f0180 proxy_authenticate + 124
7 cntlm 0x10275e2e4 acquire_kerberos_token + 296
6 cntlm 0x10275e0bc client_establish_context + 268
5 com.apple.GSS 0x198798658 gss_init_sec_context + 1096
4 com.apple.GSS 0x1987993d0 _gsskrb5_init_sec_context + 1036
3 com.apple.GSS 0x19879ac60 init_auth_step + 1796
2 com.apple.Heimdal 0x1961e6ec4 _krb5_build_authenticator + 840
1 libsystem_malloc.dylib 0x1861639cc _malloc + 88
0 libsystem_malloc.dylib 0x1861790f4 _malloc_zone_malloc_instrumented_or_legacy + 268
====
1 (32 bytes) ROOT LEAK: <malloc in _krb5_build_authenticator 0x600003ebe020> [32]