> -----Original Message----- > From: Alexey Melnikov [mailto:alexey.melnikov@xxxxxxxxx] > Sent: Thursday, August 06, 2009 6:40 PM > To: Xu, Qiang (FXSGSC) > Cc: cyrus-sasl@xxxxxxxxxxxxxxxxxxxx > Subject: Re: IPv6 Kerberos server address handling in SASL2 > GSSAPI plugin > > There are some IP manipulation calls being done when the > calling application provides local/remote IP addresses. These > are in "<ip>;<port>" format, so functions manipulating them > are not looking for ':'. So I think this is not relevant to > GSSAPI plugin. With your suggestion and code below: ================================================ int _sasl_ipfromstring(const char *addr, struct sockaddr *out, socklen_t outlen) { int i, j; struct addrinfo hints, *ai = NULL; char hbuf[NI_MAXHOST]; /* A NULL out pointer just implies we don't do a copy, just verify it */ if(!addr) return SASL_BADPARAM; /* Parse the address */ for (i = 0; addr[i] != '\0' && addr[i] != ';'; i++) { if (i >= NI_MAXHOST) return SASL_BADPARAM; hbuf[i] = addr[i]; } hbuf[i] = '\0'; if (addr[i] == ';') i++; /* XXX: Do we need this check? */ for (j = i; addr[j] != '\0'; j++) if (!isdigit((int)(addr[j]))) return SASL_BADPARAM; memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; if (getaddrinfo(hbuf, &addr[i], &hints, &ai) != 0) return SASL_BADPARAM; if (out) { if (outlen < (socklen_t)ai->ai_addrlen) { freeaddrinfo(ai); return SASL_BUFOVER; } memcpy(out, ai->ai_addr, ai->ai_addrlen); } freeaddrinfo(ai); return SASL_OK; } ... int sasl_setprop(sasl_conn_t *conn, int propnum, const void *value) { ... case SASL_IPREMOTEPORT: { const char *ipremoteport = (const char *)value; if(!value) { conn->got_ip_remote = 0; } else if (_sasl_ipfromstring(ipremoteport, NULL, 0) != SASL_OK) { sasl_seterror(conn, 0, "Bad IPREMOTEPORT value"); RETURN(conn, SASL_BADPARAM); } else { strcpy(conn->ipremoteport, ipremoteport); conn->got_ip_remote = 1; } ... case SASL_IPLOCALPORT: { const char *iplocalport = (const char *)value; if(!value) { conn->got_ip_local = 0; } else if (_sasl_ipfromstring(iplocalport, NULL, 0) != SASL_OK) { sasl_seterror(conn, 0, "Bad IPLOCALPORT value"); RETURN(conn, SASL_BADPARAM); } else { strcpy(conn->iplocalport, iplocalport); conn->got_ip_local = 1; } ... } ================================================ I can understand what you said now, due to the stop condition of the for-loop (addr[i] != ';'). Yes, you are right. They are not looking for the colon character (':'). Hopefully, Kerberos community can provide some help. Thanks, Xu Qiang
