]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
login-common: Fail if auth returns invalid source_ip
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Thu, 14 May 2020 21:29:37 +0000 (00:29 +0300)
committerAki Tuomi <aki.tuomi@open-xchange.com>
Mon, 17 Jan 2022 11:52:08 +0000 (13:52 +0200)
src/login-common/client-common-auth.c
src/login-common/client-common.h

index e944e35af140f40929a6952c3e93908233e3a9be..369d713856e4d392395d98a3c00dceefd4e6ee64 100644 (file)
@@ -166,9 +166,15 @@ static bool client_auth_parse_args(const struct client *client, bool success,
                                        "hostip %s", value);
                                return FALSE;
                        }
-               } else if (strcmp(key, "source_ip") == 0)
-                       reply_r->source_ip = value;
-               else if (strcmp(key, "port") == 0) {
+               } else if (strcmp(key, "source_ip") == 0) {
+                       if (value[0] != '\0' &&
+                           net_addr2ip(value, &reply_r->source_ip) < 0) {
+                               e_error(client->event,
+                                       "Auth service returned invalid "
+                                       "source_ip %s", value);
+                               return FALSE;
+                       }
+               } else if (strcmp(key, "port") == 0) {
                        if (net_str2port(value, &reply_r->port) < 0) {
                                e_error(client->event,
                                        "Auth service returned invalid "
@@ -536,9 +542,8 @@ static int proxy_start(struct client *client,
        i_zero(&proxy_set);
        proxy_set.host = reply->host;
        proxy_set.ip = reply->host_ip;
-       if (reply->source_ip != NULL) {
-               if (net_addr2ip(reply->source_ip, &proxy_set.source_ip) < 0)
-                       proxy_set.source_ip.family = 0;
+       if (reply->source_ip.family != 0) {
+               proxy_set.source_ip = reply->source_ip;
        } else if (login_source_ips_count > 0) {
                /* select the next source IP with round robin. */
                proxy_set.source_ip = login_source_ips[login_source_ips_idx];
index 0d03fb5b9f5da21097856e5b55f1ef3622d1931b..428a1f2141146b84c6d8d03f79ecbce520ba4465 100644 (file)
@@ -99,8 +99,8 @@ struct client_auth_reply {
        ARRAY_TYPE(const_string) alt_usernames;
 
        /* for proxying */
-       const char *host, *source_ip;
-       struct ip_addr host_ip;
+       const char *host;
+       struct ip_addr source_ip, host_ip;
        const char *destuser, *password, *proxy_mech;
        in_port_t port;
        unsigned int proxy_timeout_msecs;