* conv_creds.c (krb524_convert_creds_kdc): loop through all of the

	addresses returned by krb5_locate_kdc, don't just try the first one.
	* krb524d.c (do_connection): check for particular failures of
	decode_krb5_ticket, as well as for messages that are one int long
	(which will eliminate our own error replies.)

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7095 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 2dc9500db12c85f4a75672096eb8810a2900caa9..0155f98ee578053acd61a6d52b7b17217d44eb1a 100644 (file)
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,11 @@
+Sun Nov 12 04:29:08 1995  Mark W. Eichin  <eichin@cygnus.com>
+
+       * conv_creds.c (krb524_convert_creds_kdc): loop through all of the
+       addresses returned by krb5_locate_kdc, don't just try the first one.
+       * krb524d.c (do_connection): check for particular failures of
+       decode_krb5_ticket, as well as for messages that are one int long
+       (which will eliminate our own error replies.)
+
 Mon Oct  9 11:34:24 1995  Ezra Peisach  <epeisach@kangaroo.mit.edu>
 
        * Makefile.in: s/test/krb524test/ to handle screw case where test

diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c
index cd62d4cb1fa2b23f7d8d243a18970dbe377d45be..5ab295f2b988557a9d9031cf19f9286466455a05 100644 (file)
--- a/src/krb524/conv_creds.c
+++ b/src/krb524/conv_creds.c
@@ -58,7 +58,7 @@ int krb524_convert_creds_kdc(context, v5creds, v4creds)
      CREDENTIALS *v4creds;
 {
      struct sockaddr_in *addrs;
-     int ret, naddrs;
+     int ret, naddrs, i;
 
      if ((ret = krb5_locate_kdc(context, &v5creds->server->realm, &addrs,
                               &naddrs)))
@@ -66,9 +66,26 @@ int krb524_convert_creds_kdc(context, v5creds, v4creds)
      if (naddrs == 0)
          ret = KRB5_KDC_UNREACH;
      else {
-         addrs[0].sin_port = 0; /* use krb524 default port */
-         ret = krb524_convert_creds_addr(context, v5creds, v4creds,
-                                         (struct sockaddr *) &addrs[0]);
+          for (i = 0; i<naddrs; i++) {
+           addrs[i].sin_port = 0; /* use krb524 default port */
+           ret = krb524_convert_creds_addr(context, v5creds, v4creds,
+                                           (struct sockaddr *) &addrs[i]);
+           /* stop trying on success */
+           if (!ret) break;
+           switch(ret) {
+           case ECONNREFUSED:
+           case ENETUNREACH:
+           case ENETDOWN:
+           case ETIMEDOUT:
+           case EHOSTDOWN:
+           case EHOSTUNREACH:
+             continue;
+           default:
+             break;            /* out of switch */
+           }
+           /* if we fall through to here, it wasn't an "ok" error */
+           break;
+         }
      }
      
      free(addrs);

diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c
index df9a15c067c92d4301948d3a8b9b8a82042b2c9d..06e3fb6c0994a589ffc3528a95ac629202046dc2 100644 (file)
--- a/src/krb524/krb524d.c
+++ b/src/krb524/krb524d.c
@@ -275,8 +275,24 @@ krb5_error_code do_connection(s, context)
      if (debug)
          printf("message received\n");
 
-     if ((ret = decode_krb5_ticket(&msgdata, &v5tkt)))
+     if ((ret = decode_krb5_ticket(&msgdata, &v5tkt))) {
+          switch (ret) {
+         case KRB5KDC_ERR_BAD_PVNO:
+         case ASN1_MISPLACED_FIELD:
+         case ASN1_MISSING_FIELD:
+         case ASN1_BAD_ID:
+         case KRB5_BADMSGTYPE:
+           /* don't even answer parse errors */
+           return ret;
+           break;
+         default:
+           /* try and recognize our own error packet */
+           if (msgdata.length == sizeof(int))
+             return KRB5_BADMSGTYPE;
+           else
          goto error;
+         }
+     }
      if (debug)
          printf("V5 ticket decoded\n");