oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure all calls to getaddrinfo are headed by a block_dns check.

Browse Source 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
This commit is contained in:
Taylor R Campbell
2023-06-09 00:08:21 +00:00
committed by Nico Williams
parent fa4c4430f6
commit fd77c4000d
11 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/hprop.c
View File

@@ -61,6 +61,11 @@ open_socket(krb5_context context, const char *hostname, const char *port)
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
hints.ai_flags &= ~AI_CANONNAME;
hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
}
error = getaddrinfo (hostname, port, &hints, &ai);
if (error) {
warnx ("%s: %s", hostname, gai_strerror(error));