Pass NI_NUMERICSERV|NI_NUMERICSCOPE if NI_NUMERICHOST to getnameinfo.

This addresses part of https://github.com/heimdal/heimdal/issues/1214 to audit potential network leaks with [libdefaults] block_dns = yes. NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many systems using NIS to look up service names by number if we fail to specify NI_NUMERICSERV, and such systems probably require careful auditing of their own. And I don't know of any way NI_NUMERICSCOPE could trigger network leaks. But named scope ids are such a niche option with IPv6 that setting it to forestall concerns can't hurt much, and it makes reviewing easier if we just unconditionally flip on all the numeric-only options.
2024-01-10 01:20:02 +00:00
parent 4d39fe8d04
commit f051c36471
4 changed files with 6 additions and 4 deletions
--- a/appl/gssmask/gssmask.c
+++ b/appl/gssmask/gssmask.c
@@ -1117,7 +1117,7 @@ create_client(krb5_socket_t sock, int port, const char *moniker)

 	getnameinfo((struct sockaddr *)&c->sa, c->salen,
 		    c->servername, sizeof(c->servername),
-		    NULL, 0, NI_NUMERICHOST);
+		    NULL, 0, NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
    }

    c->sock = krb5_storage_from_socket(sock);