From ab49f87d5cd4f70fdfe606449ebe1369aa6cbb61 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Thu, 14 Jan 2016 13:06:03 +0100
Subject: [PATCH] Properly close token in sspi authentication

We can never leak more than one token, but we shouldn't do that. We
don't bother closing it in the error paths since the process will
exit shortly anyway.

Christian Ullrich
---
 src/backend/libpq/auth.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 60d8d8848d3..334b1a89547 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -1255,6 +1255,8 @@ pg_SSPI_recvauth(Port *port)
 				(errmsg_internal("could not get user token: error code %lu",
 								 GetLastError())));
 
+	CloseHandle(token);
+
 	if (!LookupAccountSid(NULL, tokenuser->User.Sid, accountname, &accountnamesize,
 						  domainname, &domainnamesize, &accountnameuse))
 		ereport(ERROR,