Pass NI_NUMERICSERV|NI_NUMERICSCOPE if NI_NUMERICHOST to getnameinfo.

This addresses part of https://github.com/heimdal/heimdal/issues/1214 to audit potential network leaks with [libdefaults] block_dns = yes. NI_NUMERICHOST is _probably_ sufficient -- we probably won't see many systems using NIS to look up service names by number if we fail to specify NI_NUMERICSERV, and such systems probably require careful auditing of their own. And I don't know of any way NI_NUMERICSCOPE could trigger network leaks. But named scope ids are such a niche option with IPv6 that setting it to forestall concerns can't hurt much, and it makes reviewing easier if we just unconditionally flip on all the numeric-only options.
2024-01-10 01:20:02 +00:00
parent 4d39fe8d04
commit f051c36471
4 changed files with 6 additions and 4 deletions
--- a/lib/krb5/send_to_kdc.c
+++ b/lib/krb5/send_to_kdc.c
@@ -369,7 +369,8 @@ debug_host(krb5_context context, int level, struct host *host, const char *fmt,
 	proto = "udp";

    if (getnameinfo(host->ai->ai_addr, host->ai->ai_addrlen,
-		    name, sizeof(name), port, sizeof(port), NI_NUMERICHOST) != 0)
+		    name, sizeof(name), port, sizeof(port),
+		    NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE) != 0)
 	name[0] = '\0';

    switch (host->state) {