IPv6 Kerberos server address handling in SASL2 GSSAPI plugin
Xu, Qiang (FXSGSC)
Qiang.Xu at fujixerox.com
Thu Aug 6 07:22:37 EDT 2009
> -----Original Message-----
> From: Alexey Melnikov [mailto:alexey.melnikov at isode.com]
> Sent: Thursday, August 06, 2009 6:40 PM
> To: Xu, Qiang (FXSGSC)
> Cc: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Re: IPv6 Kerberos server address handling in SASL2
> GSSAPI plugin
>
> There are some IP manipulation calls being done when the
> calling application provides local/remote IP addresses. These
> are in "<ip>;<port>" format, so functions manipulating them
> are not looking for ':'. So I think this is not relevant to
> GSSAPI plugin.
With your suggestion and code below:
================================================
int _sasl_ipfromstring(const char *addr,
struct sockaddr *out, socklen_t outlen)
{
int i, j;
struct addrinfo hints, *ai = NULL;
char hbuf[NI_MAXHOST];
/* A NULL out pointer just implies we don't do a copy, just verify it */
if(!addr) return SASL_BADPARAM;
/* Parse the address */
for (i = 0; addr[i] != '\0' && addr[i] != ';'; i++) {
if (i >= NI_MAXHOST)
return SASL_BADPARAM;
hbuf[i] = addr[i];
}
hbuf[i] = '\0';
if (addr[i] == ';')
i++;
/* XXX: Do we need this check? */
for (j = i; addr[j] != '\0'; j++)
if (!isdigit((int)(addr[j])))
return SASL_BADPARAM;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
if (getaddrinfo(hbuf, &addr[i], &hints, &ai) != 0)
return SASL_BADPARAM;
if (out) {
if (outlen < (socklen_t)ai->ai_addrlen) {
freeaddrinfo(ai);
return SASL_BUFOVER;
}
memcpy(out, ai->ai_addr, ai->ai_addrlen);
}
freeaddrinfo(ai);
return SASL_OK;
}
...
int sasl_setprop(sasl_conn_t *conn, int propnum, const void *value)
{
...
case SASL_IPREMOTEPORT:
{
const char *ipremoteport = (const char *)value;
if(!value) {
conn->got_ip_remote = 0;
} else if (_sasl_ipfromstring(ipremoteport, NULL, 0)
!= SASL_OK) {
sasl_seterror(conn, 0, "Bad IPREMOTEPORT value");
RETURN(conn, SASL_BADPARAM);
} else {
strcpy(conn->ipremoteport, ipremoteport);
conn->got_ip_remote = 1;
}
...
case SASL_IPLOCALPORT:
{
const char *iplocalport = (const char *)value;
if(!value) {
conn->got_ip_local = 0;
} else if (_sasl_ipfromstring(iplocalport, NULL, 0)
!= SASL_OK) {
sasl_seterror(conn, 0, "Bad IPLOCALPORT value");
RETURN(conn, SASL_BADPARAM);
} else {
strcpy(conn->iplocalport, iplocalport);
conn->got_ip_local = 1;
}
...
}
================================================
I can understand what you said now, due to the stop condition of the for-loop (addr[i] != ';'). Yes, you are right. They are not looking for the colon character (':').
Hopefully, Kerberos community can provide some help.
Thanks,
Xu Qiang
More information about the Cyrus-sasl
mailing list