[3271] in Kerberos-V5-bugs
krb5-libs/1016: gss_import_name doesn't follow RFC 2743
daemon@ATHENA.MIT.EDU (ratliff@austin.ibm.com)
Wed Nov 14 19:50:04 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, ratliff@austin.ibm.com
Message-Id: <20011115004935.C808282ADE@spiff.austin.ibm.com>
Date: Wed, 14 Nov 2001 18:49:35 -0600 (CST)
From: ratliff@austin.ibm.com
Reply-To: ratliff@austin.ibm.com
To: krb5-bugs@mit.edu
Cc: ratliff@austin.ibm.com
>Number: 1016
>Category: krb5-libs
>Synopsis: gss_import_name returns GSS_S_BAD_NAME if DNS lookup fails
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Nov 14 19:50:01 EST 2001
>Last-Modified:
>Originator: Emily Ratliff
>Organization:
IBM Linux Technology Center, Security
>Release: krb5-current-2011110
>Environment:
System: Linux spiff.austin.ibm.com 2.2.17-21mdk #1 Thu Oct 5 13:16:08 CEST 2000 i686 unknown
Architecture: i686
>Description:
gss_import_name in src/lib/krb5/os/sn2princ.c currently returns
GSS_S_BAD_NAME if the call to gethostbyname fails. RFC2743 says,
"the 'hostname' may ... be canonicalized by attempting a DNS lookup
and using the fully-qualified domain name which is returned, or by
using the 'hostname' as provided if the DNS lookup fails."
Understanding that this is a MAY provision and not a MUST, is there
a reason you decided not to do this?
The attached patch changes the behavior of gss_import_name to follow
the suggestion in the RFC. It is an easy fix, but ugly patch as
the code had to be retabbed.
Thanks,
Emily
>How-To-Repeat:
>Fix:
diff -ur src.orig/lib/krb5/os/sn2princ.c src/lib/krb5/os/sn2princ.c
--- src.orig/lib/krb5/os/sn2princ.c Wed Nov 14 17:07:03 2001
+++ src/lib/krb5/os/sn2princ.c Wed Nov 14 18:32:57 2001
@@ -69,27 +69,34 @@
if (type == KRB5_NT_SRV_HST) {
char *addr;
- if (!(hp = gethostbyname(hostname)))
- return KRB5_ERR_BAD_HOSTNAME;
- remote_host = strdup(hp->h_name);
- if (!remote_host)
- return ENOMEM;
- /*
- * Do a reverse resolution to get the full name, just in
- * case there's some funny business going on. If there
- * isn't an in-addr record, give up.
+ /* RFC 1964 says that if DNS lookup fails hostname should be
+ * left as is.
*/
- addr = malloc(hp->h_length);
- if (!addr)
- return ENOMEM;
- memcpy(addr, hp->h_addr, hp->h_length);
- hp = gethostbyaddr(addr, hp->h_length, hp->h_addrtype);
- free(addr);
- if (hp) {
- free(remote_host);
+ if (!(hp = gethostbyname(hostname))) {
+ remote_host = strdup(hostname);
+ }
+ else {
remote_host = strdup(hp->h_name);
- if (!remote_host)
+
+ if (!remote_host)
return ENOMEM;
+ /*
+ * Do a reverse resolution to get the full name, just in
+ * case there's some funny business going on. If there
+ * isn't an in-addr record, give up.
+ */
+ addr = malloc(hp->h_length);
+ if (!addr)
+ return ENOMEM;
+ memcpy(addr, hp->h_addr, hp->h_length);
+ hp = gethostbyaddr(addr, hp->h_length, hp->h_addrtype);
+ free(addr);
+ if (hp) {
+ free(remote_host);
+ remote_host = strdup(hp->h_name);
+ if (!remote_host)
+ return ENOMEM;
+ }
}
} else /* type == KRB5_NT_UNKNOWN */ {
remote_host = strdup(hostname);
>Audit-Trail:
>Unformatted:
