From: Timo Sirainen Date: Thu, 9 Apr 2020 21:10:55 +0000 (+0300) Subject: login-proxy: Check for missing host IP address earlier X-Git-Tag: 2.3.11.2~203 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b6b0ef59483021cc1b1fb81d2c8c4627d804970a;p=thirdparty%2Fdovecot%2Fcore.git login-proxy: Check for missing host IP address earlier Also fail if "hostip" is returned by passdb but it's not a valid IP address. --- diff --git a/src/login-common/client-common-auth.c b/src/login-common/client-common-auth.c index 9c40a60583..4b6bd39c98 100644 --- a/src/login-common/client-common-auth.c +++ b/src/login-common/client-common-auth.c @@ -387,7 +387,8 @@ static void proxy_input(struct client *client) static bool proxy_check_start(struct client *client, struct event *event, const struct client_auth_reply *reply, - const struct dsasl_client_mech **sasl_mech_r) + const struct dsasl_client_mech **sasl_mech_r, + struct ip_addr *ip_r) { if (reply->password == NULL) { e_error(event, "password not given"); @@ -398,6 +399,18 @@ proxy_check_start(struct client *client, struct event *event, return FALSE; } + if (reply->hostip != NULL && reply->hostip[0] != '\0') { + if (net_addr2ip(reply->hostip, ip_r) < 0) { + e_error(event, "Invalid hostip %s", reply->hostip); + return FALSE; + } + } else if (net_addr2ip(reply->host, ip_r) < 0) { + e_error(event, + "BUG: host %s is not an IP (auth should have changed it)", + reply->host); + return FALSE; + } + if (reply->proxy_mech != NULL) { *sasl_mech_r = dsasl_client_mech_find(reply->proxy_mech); if (*sasl_mech_r == NULL) { @@ -423,6 +436,7 @@ static int proxy_start(struct client *client, { struct login_proxy_settings proxy_set; const struct dsasl_client_mech *sasl_mech = NULL; + struct ip_addr ip; struct event *event; i_assert(reply->destuser != NULL); @@ -436,7 +450,7 @@ static int proxy_start(struct client *client, event_set_append_log_prefix(event, t_strdup_printf( "proxy(%s): ", client->virtual_user)); - if (!proxy_check_start(client, event, reply, &sasl_mech)) { + if (!proxy_check_start(client, event, reply, &sasl_mech, &ip)) { client_proxy_error(client, PROXY_FAILURE_MSG); event_unref(&event); return -1; @@ -444,9 +458,7 @@ static int proxy_start(struct client *client, i_zero(&proxy_set); proxy_set.host = reply->host; - if (reply->hostip != NULL && - net_addr2ip(reply->hostip, &proxy_set.ip) < 0) - proxy_set.ip.family = 0; + proxy_set.ip = ip; if (reply->source_ip != NULL) { if (net_addr2ip(reply->source_ip, &proxy_set.source_ip) < 0) proxy_set.source_ip.family = 0; diff --git a/src/login-common/login-proxy.c b/src/login-common/login-proxy.c index 5a93cceb8f..edff91321b 100644 --- a/src/login-common/login-proxy.c +++ b/src/login-common/login-proxy.c @@ -280,14 +280,6 @@ static int login_proxy_connect(struct login_proxy *proxy) proxy->num_waiting_connections_updated = FALSE; rec->num_waiting_connections++; - if (proxy->ip.family == 0 && - net_addr2ip(proxy->host, &proxy->ip) < 0) { - e_error(proxy->event, - "BUG: host %s is not an IP (auth should have changed it)", - proxy->host); - return -1; - } - if (rec->last_success.tv_sec == 0) { /* first connect to this IP. don't start immediately failing the check below. */