Skip to content

Commit 2a1d3c5

Browse files
cosmo0920cosmo0920
committed
in_forward: Fix incorrect user auth
Signed-off-by: Hiroshi Hatake <[email protected]>
1 parent 2b7eff7 commit 2a1d3c5

File tree

1 file changed

+21
-12
lines changed

1 file changed

+21
-12
lines changed

plugins/in_forward/fw_prot.c

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -792,11 +792,10 @@ static int send_pong(struct flb_input_instance *in,
792792
if (bytes == -1) {
793793
flb_plg_error(in, "cannot send PONG");
794794

795-
result = -1;
796-
}
797-
else if (userauth == FLB_FALSE) {
798-
flb_plg_error(in, "cannot send PONG");
799-
795+
/*
796+
* The 'userauth == FLB_FALSE' case is not an error; it's a successful
797+
* transmission of a failure notification. We only fail if the write fails.
798+
*/
800799
result = -1;
801800
}
802801
else {
@@ -1203,36 +1202,46 @@ int fw_prot_secure_forward_handshake_start(struct flb_input_instance *ins,
12031202
int fw_prot_secure_forward_handshake(struct flb_input_instance *ins,
12041203
struct fw_conn *conn)
12051204
{
1206-
int ret;
12071205
char *shared_key_salt = NULL;
12081206
int userauth = FLB_TRUE;
12091207
flb_sds_t reason = NULL;
1208+
int ping_ret;
1209+
int pong_ret;
12101210

12111211
reason = flb_sds_create_size(32);
12121212
flb_plg_debug(ins, "protocol: checking PING");
1213-
ret = check_ping(ins, conn, &shared_key_salt);
1214-
if (ret == -1) {
1213+
ping_ret = check_ping(ins, conn, &shared_key_salt);
1214+
if (ping_ret == -1) {
12151215
flb_plg_error(ins, "handshake error checking PING");
12161216

12171217
goto error;
12181218
}
1219-
else if (ret == -2) {
1219+
else if (ping_ret == -2) {
12201220
flb_plg_warn(ins, "user authentication is failed");
12211221
userauth = FLB_FALSE;
12221222
reason = flb_sds_cat(reason, "username/password mismatch", 26);
12231223
}
12241224

12251225
flb_plg_debug(ins, "protocol: sending PONG");
1226-
ret = send_pong(ins, conn, shared_key_salt, userauth, reason);
1227-
if (ret == -1) {
1228-
flb_plg_error(ins, "handshake error sending PONG");
1226+
pong_ret = send_pong(ins, conn, shared_key_salt, userauth, reason);
1227+
if (pong_ret == -1) {
1228+
flb_plg_error(ins, "handshake error: could not send PONG to client");
12291229

12301230
goto error;
12311231
}
12321232

12331233
flb_sds_destroy(shared_key_salt);
12341234
flb_sds_destroy(reason);
12351235

1236+
/*
1237+
* If the initial authentication check failed (either shared_key or user),
1238+
* we have successfully notified the client with a PONG failure message,
1239+
* so we must now terminate the handshake by returning an error.
1240+
*/
1241+
if (ping_ret < 0) {
1242+
return -1;
1243+
}
1244+
12361245
return 0;
12371246

12381247
error:

0 commit comments

Comments
 (0)