IPv6 Kerberos server address handling in SASL2 GSSAPI plugin

Xu, Qiang (FXSGSC) Qiang.Xu at fujixerox.com
Thu Aug 6 07:22:37 EDT 2009 

> -----Original Message-----
> From: Alexey Melnikov [mailto:alexey.melnikov at isode.com] 
> Sent: Thursday, August 06, 2009 6:40 PM
> To: Xu, Qiang (FXSGSC)
> Cc: cyrus-sasl at lists.andrew.cmu.edu
> Subject: Re: IPv6 Kerberos server address handling in SASL2 
> GSSAPI plugin
> 
> There are some IP manipulation calls being done when the 
> calling application provides local/remote IP addresses. These 
> are in "<ip>;<port>" format, so functions manipulating them 
> are not looking for ':'. So I think this is not relevant to 
> GSSAPI plugin.

With your suggestion and code below:
================================================
int _sasl_ipfromstring(const char *addr,
		       struct sockaddr *out, socklen_t outlen) 
{
    int i, j;
    struct addrinfo hints, *ai = NULL;
    char hbuf[NI_MAXHOST];
    
    /* A NULL out pointer just implies we don't do a copy, just verify it */

    if(!addr) return SASL_BADPARAM;

    /* Parse the address */
    for (i = 0; addr[i] != '\0' && addr[i] != ';'; i++) {
	if (i >= NI_MAXHOST)
	    return SASL_BADPARAM;
	hbuf[i] = addr[i];
    }
    hbuf[i] = '\0';

    if (addr[i] == ';')
	i++;
    /* XXX: Do we need this check? */
    for (j = i; addr[j] != '\0'; j++)
	if (!isdigit((int)(addr[j])))
	    return SASL_BADPARAM;

    memset(&hints, 0, sizeof(hints));
    hints.ai_family = PF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
    if (getaddrinfo(hbuf, &addr[i], &hints, &ai) != 0)
	return SASL_BADPARAM;

    if (out) {
	if (outlen < (socklen_t)ai->ai_addrlen) {
	    freeaddrinfo(ai);
	    return SASL_BUFOVER;
	}
	memcpy(out, ai->ai_addr, ai->ai_addrlen);
    }

    freeaddrinfo(ai);

    return SASL_OK;
} 

...

int sasl_setprop(sasl_conn_t *conn, int propnum, const void *value)
{
  ...
  case SASL_IPREMOTEPORT:
  {
      const char *ipremoteport = (const char *)value;
      if(!value) {
	  conn->got_ip_remote = 0; 
      } else if (_sasl_ipfromstring(ipremoteport, NULL, 0)
		 != SASL_OK) {
	  sasl_seterror(conn, 0, "Bad IPREMOTEPORT value");
	  RETURN(conn, SASL_BADPARAM);
      } else {
	  strcpy(conn->ipremoteport, ipremoteport);
	  conn->got_ip_remote = 1;
      }
  ...
  case SASL_IPLOCALPORT:
  {
      const char *iplocalport = (const char *)value;
      if(!value) {
	  conn->got_ip_local = 0;	  
      } else if (_sasl_ipfromstring(iplocalport, NULL, 0)
		 != SASL_OK) {
	  sasl_seterror(conn, 0, "Bad IPLOCALPORT value");
	  RETURN(conn, SASL_BADPARAM);
      } else {
	  strcpy(conn->iplocalport, iplocalport);
	  conn->got_ip_local = 1;
      }
  ...
}
================================================
I can understand what you said now, due to the stop condition of the for-loop (addr[i] != ';'). Yes, you are right. They are not looking for the colon character (':').

Hopefully, Kerberos community can provide some help.

Thanks,
Xu Qiang

More information about the Cyrus-sasl mailing list