diff options
| -rw-r--r-- | src/backend/libpq/auth.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 7e328f7bcf6..466b3640e85 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.183 2009/06/25 11:30:08 mha Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.183.2.1 2009/10/14 07:27:27 heikki Exp $ * *------------------------------------------------------------------------- */ @@ -181,6 +181,21 @@ static int pg_SSPI_recvauth(Port *port); #endif +/* + * Maximum size of GSS and SSPI authentication tokens. + * + * Kerberos tickets are usually quite small, but the TGTs issued by Windows + * domain controllers include an authorization field known as the Privilege + * Attribute Certificate (PAC), which contains the user's Windows permissions + * (group memberships etc.). The PAC is copied into all tickets obtained on + * the basis of this TGT (even those issued by Unix realms which the Windows + * realm trusts), and can be several kB in size. The maximum token size + * accepted by Windows systems is determined by the MaxAuthToken Windows + * registry setting. Microsoft recommends that it is not set higher than + * 65535 bytes, so that seems like a reasonable limit for us as well. + */ +#define MAX_AUTH_TOKEN_LENGTH 65535 + /*---------------------------------------------------------------- * Global authentication functions @@ -937,7 +952,7 @@ pg_GSS_recvauth(Port *port) /* Get the actual GSS token */ initStringInfo(&buf); - if (pq_getmessage(&buf, 2000)) + if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH)) { /* EOF - pq_getmessage already logged error */ pfree(buf.data); @@ -1175,7 +1190,7 @@ pg_SSPI_recvauth(Port *port) /* Get the actual SSPI token */ initStringInfo(&buf); - if (pq_getmessage(&buf, 2000)) + if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH)) { /* EOF - pq_getmessage already logged error */ pfree(buf.data); |