From a4dad27a25bcb7e66c413fe4a8f93a88a79cc866 Mon Sep 17 00:00:00 2001 From: Zdenek Dohnal Date: Mon, 15 Jan 2024 15:14:24 +0100 Subject: [PATCH] backend/ipp.c: Fix infinite loop with Kerberos If IP address was used with Kerberos, IPP backend retried connection indefinitely. The fix is to abort when we find out hostname is an IP address and we require Kerberos. Fixes #838 --- CHANGES.md | 1 + backend/ipp.c | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 10cf171e16..1349f90fc6 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -40,6 +40,7 @@ Changes in CUPS v2.5b1 (TBA) - Fixed memory leak when creating color profiles (Issue #814) - Fixed crash in `scan_ps()` if incoming argument is NULL (Issue #831) - Fixed setting job state reasons for successful jobs (Issue #832) +- Fixed infinite loop in IPP backend if hostname is IP address with Kerberos (Issue #838) - Fixed crash in `ppdEmitString()` if there is no record for page size `Custom` (Issue #849) - Fixed reporting `media-source-supported` when sharing printer which has numbers as strings diff --git a/backend/ipp.c b/backend/ipp.c index 434f71016b..3e609bd5b0 100644 --- a/backend/ipp.c +++ b/backend/ipp.c @@ -409,6 +409,19 @@ main(int argc, /* I - Number of command-line args */ else cupsSetEncryption(HTTP_ENCRYPTION_IF_REQUESTED); + if (!strcmp(auth_info_required, "negotiate") && + (isdigit(hostname[0] & 255) || hostname[0] == '[')) + { + /* + * IP addresses are not allowed with Kerberos... + */ + + _cupsLangPrintFilter(stderr, "ERROR", + _("IP address is not allowed as hostname when using Negotiate - use FQDN.")); + update_reasons(NULL, "-connecting-to-device"); + return (CUPS_BACKEND_FAILED); + } + /* * See if there are any options... */ -- 2.47.2