ui: various improvements to VNC SASL code

[PATCH 1/6] ui/vnc: don't return an empty SASL mechlist to the client

Posted by Daniel P. Berrangé 1 day, 6 hours ago

The SASL initialization phase may determine that there are no valid
mechanisms available to use. This may be because the host OS admin
forgot to install some packages, or it might be because the requested
SSF level is incompatible with available mechanisms, or other unknown
reasons.

If we return an empty mechlist to the client, they're going to get a
failure from the SASL library on their end and drop the connection.
Thus there is no point even sending this back to the client, we can
just drop the connection immediately.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 ui/vnc-auth-sasl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ui/vnc-auth-sasl.c b/ui/vnc-auth-sasl.c
index 47fdae5b21..7d9ca9e8ac 100644
--- a/ui/vnc-auth-sasl.c
+++ b/ui/vnc-auth-sasl.c
@@ -674,6 +674,13 @@ void start_auth_sasl(VncState *vs)
     }
     trace_vnc_auth_sasl_mech_list(vs, mechlist);
 
+    if (g_str_equal(mechlist, "")) {
+        trace_vnc_auth_fail(vs, vs->auth, "no available SASL mechanisms", "");
+        sasl_dispose(&vs->sasl.conn);
+        vs->sasl.conn = NULL;
+        goto authabort;
+    }
+
     vs->sasl.mechlist = g_strdup(mechlist);
     mechlistlen = strlen(mechlist);
     vnc_write_u32(vs, mechlistlen);
-- 
2.46.0

[PATCH 1/6] ui/vnc: don't return an empty SASL mechlist to the client
[PATCH 2/6] ui/vnc: don't raise error formatting socket address for non-inet
[PATCH 3/6] ui/vnc: fix skipping SASL SSF on UNIX sockets
[PATCH 4/6] ui/vnc: don't check for SSF after SASL authentication on UNIX sockets
[PATCH 5/6] ui: fix handling of NULL SASL server data
[PATCH 6/6] ui: validate NUL byte padding in SASL client data more strictly