don't canonicalize names that are short then 2 name element

Since KDC will probably guess wrong on them, and doing afs@CLIENT-REALM have too large change of actually working.
2009-10-05 22:07:47 -07:00
parent 4c5a79f21b
commit 6d1d17efed
1 changed files with 6 additions and 0 deletions
--- a/lib/krb5/get_cred.c
+++ b/lib/krb5/get_cred.c
@@ -898,6 +898,12 @@ get_cred_kdc_referral(krb5_context context,
    int loop = 0;
    int ok_as_delegate = 1;

+    if (in_creds->client->name.name_string.len < 2 && !flags.b.canonicalize) {
+	krb5_set_error_message(context, KRB5KDC_ERR_PATH_NOT_ACCEPTED,
+			       N_("Name too short to do referals, skipping", ""));
+	return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
+    }
+
    memset(&tgt, 0, sizeof(tgt));
    memset(&ticket, 0, sizeof(ticket));