[28294] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Don't check kpasswd reply address

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Mar 20 17:47:39 2014

Date: Thu, 20 Mar 2014 17:47:35 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201403202147.s2KLlZRo014645@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/b562400826409deceb0d52ffbe6570670ee9db55
commit b562400826409deceb0d52ffbe6570670ee9db55
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
Date:   Wed Oct 9 15:03:16 2013 -0400

    Don't check kpasswd reply address
    
    Don't check the address of the kpasswd server when parsing the reply
    we received from it.  If the server's address was modified by a proxy
    or other network element, the user will be incorrectly warned that the
    password change failed when it succeeded.  The check is unnecessary as
    the kpasswd protocol is not subject to a reflection attack.
    
    [ghudson@mit.edu: edit commit message]
    
    ticket: 7886 (new)

 src/lib/krb5/os/changepw.c |   21 ---------------------
 1 files changed, 0 insertions(+), 21 deletions(-)

diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 462910f..4d8abd9 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -214,7 +214,6 @@ change_set_password(krb5_context context,
                     krb5_data *result_string)
 {
     krb5_data                   chpw_rep;
-    krb5_address                remote_kaddr;
     krb5_boolean                use_tcp = 0;
     GETSOCKNAME_ARG3_TYPE       addrlen;
     krb5_error_code             code = 0;
@@ -272,26 +271,6 @@ change_set_password(krb5_context context,
             break;
         }
 
-        if (remote_addr.ss_family == AF_INET) {
-            remote_kaddr.addrtype = ADDRTYPE_INET;
-            remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
-            remote_kaddr.contents =
-                (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
-        } else if (remote_addr.ss_family == AF_INET6) {
-            remote_kaddr.addrtype = ADDRTYPE_INET6;
-            remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
-            remote_kaddr.contents =
-                (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
-        } else {
-            break;
-        }
-
-        if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
-                                           callback_ctx.auth_context,
-                                           NULL,
-                                           &remote_kaddr)))
-            break;
-
         code = krb5int_rd_chpw_rep(callback_ctx.context,
                                    callback_ctx.auth_context,
                                    &chpw_rep, &local_result_code,
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post