backend/ipp.c: Fix infinite loop with Kerberos

If IP address was used with Kerberos, IPP backend retried connection indefinitely. The fix is to abort when we find out hostname is an IP address and we require Kerberos.
OpenPrinting · Jan 15, 2024 · 9ef75d2 · 9ef75d2
1 parent 08e2060
commit 9ef75d2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -14,9 +14,12 @@ Changes in CUPS v2.4.8 (TBA)
   successfully printed jobs (Issue #830)
 - Fixed crash in `scan_ps()` if incoming argument is NULL (Issue #831)
 - Fixed setting job state reasons for successful jobs (Issue #832)
+- Fixed infinite loop in IPP backend if hostname is IP address with Kerberos (Issue #838)
 - Added additional check on socket if `revents` from `poll()` returns POLLHUP
   together with POLLIN or POLLOUT in `httpAddrConnect2()` (Issue #839)
 - Fixed crash in `ppdEmitString()` if `size` is NULL (Issue #850)
+- Fixed reporting `media-source-supported` when sharing printer which has numbers as strings
+  instead of keywords as `InputSlot` values (Issue #859)
 - Fixed IPP backend to support the "print-scaling" option with IPP printers
   (Issue #862)
 
@@ -35,8 +38,6 @@ Changes in CUPS v2.4.7 (2023-09-20)
 - Fixed purging job files via `cancel -x` (Issue #742)
 - Fixed RFC 1179 port reserving behavior in LPD backend (Issue #743)
 - Fixed a bug in the PPD command interpretation code (Issue #768)
-- Fixed reporting `media-source-supported` when sharing printer which has numbers as strings
-  instead of keywords as `InputSlot` values (Issue #859)
 
 
 Changes in CUPS v2.4.6 (2023-06-22)

diff --git a/backend/ipp.c b/backend/ipp.c
@@ -424,6 +424,19 @@ main(int  argc,				/* I - Number of command-line args */
   else
     cupsSetEncryption(HTTP_ENCRYPTION_IF_REQUESTED);
 
+  if (!strcmp(auth_info_required, "negotiate") &&
+      (isdigit(hostname[0] & 255) || hostname[0] == '['))
+  {
+   /*
+    * IP addresses are not allowed with Kerberos...
+    */
+
+    _cupsLangPrintFilter(stderr, "ERROR",
+			 _("IP address is not allowed as hostname when using Negotiate - use FQDN."));
+    update_reasons(NULL, "-connecting-to-device");
+    return (CUPS_BACKEND_FAILED);
+  }
+
  /*
   * See if there are any options...
   */