oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure all calls to getaddrinfo are headed by a block_dns check.

Browse Source 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
This commit is contained in:
Taylor R Campbell
2023-06-09 00:08:21 +00:00
committed by Nico Williams
parent fa4c4430f6
commit fd77c4000d
11 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/krb5/expand_hostname.c
View File

@@ -68,7 +68,8 @@ krb5_expand_hostname (krb5_context context,
struct addrinfo *ai, *a, hints;
int error;
if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0)
if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0 ||
krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
return copy_hostname (context, orig_hostname, new_hostname);
memset (&hints, 0, sizeof(hints));