oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Ensure all calls to getaddrinfo are headed by a block_dns check.

Browse Source 
If block_dns is set, call getaddrinfo with AI_NUMERICHOST set and
AI_CANONNAME clear.

Some paths may not have set AI_CANONNAME, but it's easier to audit
this way when the getaddrinfo prelude is uniform across call sites,
and the compiler can optimize it away.
This commit is contained in:
Taylor R Campbell
2023-06-09 00:08:21 +00:00
committed by Nico Williams
parent fa4c4430f6
commit fd77c4000d
11 changed files with 70 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/krb5/get_for_creds.c
View File

@@ -329,7 +329,7 @@ get_addresses(krb5_context context,
krb5_creds *ticket;
krb5_const_realm realm;
krb5_boolean noaddr;
struct addrinfo *ai;
struct addrinfo *ai, hints;
int eai;
if (hostname == 0)
@@ -349,8 +349,13 @@ get_addresses(krb5_context context,
return 0;
/* Need addresses, get the address of the remote host. */
eai = getaddrinfo (hostname, NULL, NULL, &ai);
memset(&hints, 0, sizeof(hints));
if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
NULL)) {
hints.ai_flags &= ~AI_CANONNAME;
hints.ai_flags |= AI_NUMERICHOST;
}
eai = getaddrinfo(hostname, NULL, &hints, &ai);
if (eai) {
ret = krb5_eai_to_heim_errno(eai, errno);
krb5_set_error_message(context, ret,