krb5: Fix DNS SRV name collision handling
This commit is contained in:
Nicolas Williams
committed by
Jeffrey Altman
Jeffrey Altman
parent
8d20888e09
commit
305ab03155
@@ -49,12 +49,22 @@ string_to_proto(const char *string)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#define YOUR_DNS_NEEDS_IMM_ATTENTION "your-dns-needs-immediate-attention."
|
||||||
static int
|
static int
|
||||||
is_invalid_tld_srv_target(const char *target)
|
is_invalid_tld_srv_target(const char *target)
|
||||||
{
|
{
|
||||||
return (strncmp("your-dns-needs-immediate-attention.",
|
if (strncmp(YOUR_DNS_NEEDS_IMM_ATTENTION, target,
|
||||||
target, 35) == 0
|
sizeof(YOUR_DNS_NEEDS_IMM_ATTENTION) - 1) != 0)
|
||||||
&& strchr(&target[35], '.') == NULL);
|
return 0;
|
||||||
|
target += sizeof(YOUR_DNS_NEEDS_IMM_ATTENTION) - 1;
|
||||||
|
if (target[0] == '\0' || target[0] == '.')
|
||||||
|
return 0; /* malformed; should be followed by a TLD */
|
||||||
|
target = strchr(target, '.');
|
||||||
|
if (target == NULL)
|
||||||
|
return 0; /* malformed; should end in a '.' */
|
||||||
|
if (target[1] != '\0')
|
||||||
|
return 0; /* malformed; should be followed by just one label (the TLD) */
|
||||||
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -129,28 +139,25 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count,
|
|||||||
if(rr->type == rk_ns_t_srv) {
|
if(rr->type == rk_ns_t_srv) {
|
||||||
krb5_krbhst_info *hi = NULL;
|
krb5_krbhst_info *hi = NULL;
|
||||||
size_t len;
|
size_t len;
|
||||||
int invalid_tld = 1;
|
|
||||||
|
|
||||||
/* Test for top-level domain controlled interruptions */
|
/* Test for top-level domain controlled interruptions */
|
||||||
if (!is_invalid_tld_srv_target(rr->u.srv->target)) {
|
if (is_invalid_tld_srv_target(rr->u.srv->target)) {
|
||||||
invalid_tld = 0;
|
krb5_warnx(context,
|
||||||
len = strlen(rr->u.srv->target);
|
"Domain lookup failed: "
|
||||||
hi = calloc(1, sizeof(*hi) + len);
|
"Realm %s needs immediate attention "
|
||||||
|
"see https://icann.org/namecollision",
|
||||||
|
realm);
|
||||||
|
return KRB5_KDC_UNREACH;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
len = strlen(rr->u.srv->target);
|
||||||
|
hi = calloc(1, sizeof(*hi) + len);
|
||||||
if(hi == NULL) {
|
if(hi == NULL) {
|
||||||
rk_dns_free_data(r);
|
rk_dns_free_data(r);
|
||||||
while(--num_srv >= 0)
|
while(--num_srv >= 0)
|
||||||
free((*res)[num_srv]);
|
free((*res)[num_srv]);
|
||||||
free(*res);
|
free(*res);
|
||||||
*res = NULL;
|
*res = NULL;
|
||||||
if (invalid_tld) {
|
|
||||||
krb5_warnx(context,
|
|
||||||
"Domain lookup failed: "
|
|
||||||
"Realm %s needs immediate attention "
|
|
||||||
"see https://icann.org/namecollision",
|
|
||||||
realm);
|
|
||||||
return KRB5_KDC_UNREACH;
|
|
||||||
}
|
|
||||||
return krb5_enomem(context);
|
return krb5_enomem(context);
|
||||||
}
|
}
|
||||||
(*res)[num_srv++] = hi;
|
(*res)[num_srv++] = hi;
|
||||||
|
|||||||
Reference in New Issue
Block a user