3 files changed, 46 insertions, 5 deletions
diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index 2dc9500db..0155f98ee 100644
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,11 @@
+Sun Nov 12 04:29:08 1995  Mark W. Eichin  <eichin@cygnus.com>
+
+	* conv_creds.c (krb524_convert_creds_kdc): loop through all of the
+	addresses returned by krb5_locate_kdc, don't just try the first one.
+	* krb524d.c (do_connection): check for particular failures of
+	decode_krb5_ticket, as well as for messages that are one int long
+	(which will eliminate our own error replies.)
+
 Mon Oct  9 11:34:24 1995  Ezra Peisach  <epeisach@kangaroo.mit.edu>
 
 	* Makefile.in: s/test/krb524test/ to handle screw case where test
diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c
index cd62d4cb1..5ab295f2b 100644
--- a/src/krb524/conv_creds.c
+++ b/src/krb524/conv_creds.c
@@ -58,7 +58,7 @@ int krb524_convert_creds_kdc(context, v5creds, v4creds)
      CREDENTIALS *v4creds;
 {
      struct sockaddr_in *addrs;
-     int ret, naddrs;
+     int ret, naddrs, i;
 
      if ((ret = krb5_locate_kdc(context, &v5creds->server->realm, &addrs,
 			       &naddrs)))
@@ -66,9 +66,26 @@ int krb524_convert_creds_kdc(context, v5creds, v4creds)
      if (naddrs == 0)
 	  ret = KRB5_KDC_UNREACH;
      else {
-	  addrs[0].sin_port = 0; /* use krb524 default port */
-	  ret = krb524_convert_creds_addr(context, v5creds, v4creds,
-					  (struct sockaddr *) &addrs[0]);
+          for (i = 0; i<naddrs; i++) {
+	    addrs[i].sin_port = 0; /* use krb524 default port */
+	    ret = krb524_convert_creds_addr(context, v5creds, v4creds,
+					    (struct sockaddr *) &addrs[i]);
+	    /* stop trying on success */
+	    if (!ret) break;
+	    switch(ret) {
+	    case ECONNREFUSED:
+	    case ENETUNREACH:
+	    case ENETDOWN:
+	    case ETIMEDOUT:
+	    case EHOSTDOWN:
+	    case EHOSTUNREACH:
+	      continue;
+	    default:
+	      break;		/* out of switch */
+	    }
+	    /* if we fall through to here, it wasn't an "ok" error */
+	    break;
+	  }
      }
      
      free(addrs);
diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c
index df9a15c06..06e3fb6c0 100644
--- a/src/krb524/krb524d.c
+++ b/src/krb524/krb524d.c
@@ -275,8 +275,24 @@ krb5_error_code do_connection(s, context)
      if (debug)
 	  printf("message received\n");
 
-     if ((ret = decode_krb5_ticket(&msgdata, &v5tkt)))
+     if ((ret = decode_krb5_ticket(&msgdata, &v5tkt))) {
+          switch (ret) {
+	  case KRB5KDC_ERR_BAD_PVNO:
+	  case ASN1_MISPLACED_FIELD:
+	  case ASN1_MISSING_FIELD:
+	  case ASN1_BAD_ID:
+	  case KRB5_BADMSGTYPE:
+	    /* don't even answer parse errors */
+	    return ret;
+	    break;
+	  default:
+	    /* try and recognize our own error packet */
+	    if (msgdata.length == sizeof(int))
+	      return KRB5_BADMSGTYPE;
+	    else
 	  goto error;
+	  }
+     }
      if (debug)
 	  printf("V5 ticket decoded\n");