Skip to content

Commit 770de3d

Browse files
cosmo0920cosmo0920
committed
in_forward: Fix incorrect user auth
Signed-off-by: Hiroshi Hatake <[email protected]>
1 parent c02e4a3 commit 770de3d

File tree

1 file changed

+21
-12
lines changed

1 file changed

+21
-12
lines changed

plugins/in_forward/fw_prot.c

Lines changed: 21 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -775,11 +775,10 @@ static int send_pong(struct flb_input_instance *in,
775775
if (bytes == -1) {
776776
flb_plg_error(in, "cannot send PONG");
777777

778-
result = -1;
779-
}
780-
else if (userauth == FLB_FALSE) {
781-
flb_plg_error(in, "cannot send PONG");
782-
778+
/*
779+
* The 'userauth == FLB_FALSE' case is not an error; it's a successful
780+
* transmission of a failure notification. We only fail if the write fails.
781+
*/
783782
result = -1;
784783
}
785784
else {
@@ -1186,36 +1185,46 @@ int fw_prot_secure_forward_handshake_start(struct flb_input_instance *ins,
11861185
int fw_prot_secure_forward_handshake(struct flb_input_instance *ins,
11871186
struct fw_conn *conn)
11881187
{
1189-
int ret;
11901188
char *shared_key_salt = NULL;
11911189
int userauth = FLB_TRUE;
11921190
flb_sds_t reason = NULL;
1191+
int ping_ret;
1192+
int pong_ret;
11931193

11941194
reason = flb_sds_create_size(32);
11951195
flb_plg_debug(ins, "protocol: checking PING");
1196-
ret = check_ping(ins, conn, &shared_key_salt);
1197-
if (ret == -1) {
1196+
ping_ret = check_ping(ins, conn, &shared_key_salt);
1197+
if (ping_ret == -1) {
11981198
flb_plg_error(ins, "handshake error checking PING");
11991199

12001200
goto error;
12011201
}
1202-
else if (ret == -2) {
1202+
else if (ping_ret == -2) {
12031203
flb_plg_warn(ins, "user authentication is failed");
12041204
userauth = FLB_FALSE;
12051205
reason = flb_sds_cat(reason, "username/password mismatch", 26);
12061206
}
12071207

12081208
flb_plg_debug(ins, "protocol: sending PONG");
1209-
ret = send_pong(ins, conn, shared_key_salt, userauth, reason);
1210-
if (ret == -1) {
1211-
flb_plg_error(ins, "handshake error sending PONG");
1209+
pong_ret = send_pong(ins, conn, shared_key_salt, userauth, reason);
1210+
if (pong_ret == -1) {
1211+
flb_plg_error(ins, "handshake error: could not send PONG to client");
12121212

12131213
goto error;
12141214
}
12151215

12161216
flb_sds_destroy(shared_key_salt);
12171217
flb_sds_destroy(reason);
12181218

1219+
/*
1220+
* If the initial authentication check failed (either shared_key or user),
1221+
* we have successfully notified the client with a PONG failure message,
1222+
* so we must now terminate the handshake by returning an error.
1223+
*/
1224+
if (ping_ret < 0) {
1225+
return -1;
1226+
}
1227+
12191228
return 0;
12201229

12211230
error:

0 commit comments

Comments
 (0)