Pass NI_NUMERICSERV|NI_NUMERICSCOPE if NI_NUMERICHOST to getnameinfo.

This addresses part of https://github.com/heimdal/heimdal/issues/1214 to audit potential network leaks with [libdefaults] block_dns = yes. NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many systems using NIS to look up service names by number if we fail to specify NI_NUMERICSERV, and such systems probably require careful auditing of their own. And I don't know of any way NI_NUMERICSCOPE could trigger network leaks. But named scope ids are such a niche option with IPv6 that setting it to forestall concerns can't hurt much, and it makes reviewing easier if we just unconditionally flip on all the numeric-only options.
2024-01-10 01:20:02 +00:00
parent 4d39fe8d04
commit f051c36471
4 changed files with 6 additions and 4 deletions
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -656,7 +656,7 @@ add_locate(void *ctx, int type, struct sockaddr *addr)
    portnum = socket_get_port(addr);

    ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
-		      NI_NUMERICHOST|NI_NUMERICSERV);
+		      NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
    if (ret != 0)
 	return 0;