From adaf780423d36eeb3ca2ce28a792e2c0ee9cac65 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Mon, 8 Nov 2010 13:40:01 -0800
Subject: [PATCH] always check for error token in case of a failure

---
 lib/gssapi/krb5/init_sec_context.c | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c
index fe725f79a..fdef42166 100644
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -736,22 +736,21 @@ repl_mutual
 	/* There is no OID wrapping. */
 	indata.length	= input_token->length;
 	indata.data	= input_token->value;
-	kret = krb5_rd_rep (context,
-			    ctx->auth_context,
-			    &indata,
-			    &repl);
-	if (kret >= ASN1_BAD_TIMEFORMAT && kret <= ASN1_INDEF_EXTRA_DATA) {
-	    ret = _gsskrb5_decapsulate (minor_status,
-					input_token,
-					&indata,
-					"\x03\x00",
-					GSS_KRB5_MECHANISM);
+	kret = krb5_rd_rep(context,
+			   ctx->auth_context,
+			   &indata,
+			   &repl);
+	if (kret) {
+	    ret = _gsskrb5_decapsulate(minor_status,
+				       input_token,
+				       &indata,
+				       "\x03\x00",
+				       GSS_KRB5_MECHANISM);
 	    if (ret == GSS_S_COMPLETE) {
-		    *minor_status = handle_error_packet(context, ctx, indata);
-		    return GSS_S_FAILURE;
+		*minor_status = handle_error_packet(context, ctx, indata);
+	    } else {
+		*minor_status = kret;
 	    }
-	} else if (kret) {
-	    *minor_status = kret;
 	    return GSS_S_FAILURE;
 	}
     } else {
-- 
2.11.4.GIT