From 79c2c294306d7229b974d3e45c3919dbacff5f5d Mon Sep 17 00:00:00 2001 From: itojun Date: Tue, 27 May 2003 02:19:44 +0000 Subject: if reverse lookup result looks like a numeric hostname, someone is trying to trick us by PTR record like following: 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 so protect against this kind of attacks. deraadt ok --- lib/libwrap/socket.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'lib/libwrap/socket.c') diff --git a/lib/libwrap/socket.c b/lib/libwrap/socket.c index 4ca3461c466..e1ac8766b4f 100644 --- a/lib/libwrap/socket.c +++ b/lib/libwrap/socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: socket.c,v 1.5 2002/06/07 03:32:04 itojun Exp $ */ +/* $NetBSD: socket.c,v 1.17 2003/05/26 10:05:07 itojun Exp $ */ /* * This module determines the type of socket (datagram, stream), the client @@ -21,7 +21,7 @@ #if 0 static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24"; #else -static char rcsid[] = "$OpenBSD: socket.c,v 1.5 2002/06/07 03:32:04 itojun Exp $"; +static char rcsid[] = "$OpenBSD: socket.c,v 1.6 2003/05/27 02:19:44 itojun Exp $"; #endif #endif @@ -173,6 +173,27 @@ struct host_info *host; } if (getnameinfo(sa, sa->sa_len, host->name, sizeof(host->name), NULL, 0, NI_NAMEREQD) == 0) { + /* + * if reverse lookup result looks like a numeric hostname, + * someone is trying to trick us by PTR record like following: + * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 + */ + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_DGRAM; /*dummy*/ + hints.ai_flags = AI_NUMERICHOST; +#ifdef APPEND_DOT + if (getaddrinfo(append_dot(host->name), "0", &hints, &res0) == 0) +#else + if (getaddrinfo(host->name, "0", &hints, &res0) == 0) +#endif + { + tcpd_warn("Nasty PTR record is configured"); + freeaddrinfo(res0); + /* name is bad, clobber it */ + (void)strlcpy(host->name, paranoid, sizeof(host->name)); + return; + } + /* * Verify that the address is a member of the address list returned * by getaddrinfo(hostname). -- cgit v1.2.3-59-g8ed1b