On Wed, Mar 01, 2023 at 01:43:50AM -0500, Tom Lane wrote:
> So ... why do you think this is our bug, and not a Kerberos bug?
> The leak seems to be buried quite far in libgssapi_krb5.so.
Yeah, libpq calls gss_acquire_cred(). So, assuming that the leak is
localized within one of the resources allocated by this call, there is
nothing in the kerberos docs that point to a routine to free it:
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html or
gssapi.rst in its code tree.
I may be missing something, of course.
--
Michael