[16305] in Kerberos-V5-bugs
[krbdev.mit.edu #8809] Do not call getaddrinfo() with invalid
daemon@ATHENA.MIT.EDU (Jeffrey Altman via RT)
Fri May 24 01:37:51 2019
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: Jeffrey Altman via RT <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8809@krbdev.mit.edu>
Message-ID: <rt-8809-49443.7.17125109870956@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8809'":;
Date: Fri, 24 May 2019 01:37:41 -0400
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: multipart/mixed; boundary="===============1333035433390312518=="
Errors-To: krb5-bugs-bounces@mit.edu
--===============1333035433390312518==
Content-Type: text/plain
gss-krb5 when passed a two component acceptor name passes the second component to getaddrinfo() to canonicalize it. While it is often the case that the second component of a service name is a hostname, it is not always a hostname. The afs rxgk security class service name is of the form
afs-rxgk/_afs.<cellname>
Names that begin with an underscore are not valid DNS hostnames and should not be passed to getaddrinfo() which will happily issue a query which cannot be successfully resolved. Underscores are valid for SRV and TXT records. They are not valid for A/AAAA/CNAME lookups as performed by getaddrinfo().
Kerberos should validate the names passed to getaddrinfo() to avoid unnecessary network queries and timeouts.
A valid host name only consists of [a-z]{A-Z][0-9] and the hyphen ‘-‘.
--===============1333035433390312518==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
--===============1333035433390312518==--
