oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure all calls to getaddrinfo are headed by a block_dns check.

Browse Source 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
This commit is contained in:
Taylor R Campbell
2023-06-09 00:08:21 +00:00
committed by Nico Williams
parent fa4c4430f6
commit fd77c4000d
11 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/krb5/get_addrs.c
View File

@@ -50,6 +50,14 @@ gethostname_fallback (krb5_context context, krb5_addresses *res)
char hostname[MAXHOSTNAMELEN];
struct hostent *hostent;
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
ret = ENXIO;
krb5_set_error_message(context, ret,
"DNS blocked in gethostname fallback");
return ret;
}
if (gethostname (hostname, sizeof(hostname))) {
ret = errno;
krb5_set_error_message(context, ret, "gethostname: %s", strerror(ret));