summaryrefslogtreecommitdiff
path: root/canohost.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2003-06-03 10:25:48 +1000
committerDamien Miller <djm@mindrot.org>2003-06-03 10:25:48 +1000
commit3a961dc0d36c1f87788b707130f6d07709822d38 (patch)
tree57f3a729408e4cbe08fa7f9699de2e583e0b2ca0 /canohost.c
parent35276253a60a3e57ec21b82b2e3c81e03c0206de (diff)
- (djm) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2003/06/02 09:17:34 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] [sshd_config.5] deprecate VerifyReverseMapping since it's dangerous if combined with IP based access control as noted by Mike Harding; replace with a UseDNS option, UseDNS is on by default and includes the VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ ok deraadt@, djm@ - (djm) Fix portable-specific uses of verify_reverse_mapping too
Diffstat (limited to 'canohost.c')
-rw-r--r--canohost.c44
1 files changed, 27 insertions, 17 deletions
diff --git a/canohost.c b/canohost.c
index 417d95c1..533f2c24 100644
--- a/canohost.c
+++ b/canohost.c
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: canohost.c,v 1.36 2003/04/08 20:21:28 itojun Exp $");
+RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $");
#include "packet.h"
#include "xmalloc.h"
@@ -27,7 +27,7 @@ static void check_ip_options(int, char *);
*/
static char *
-get_remote_hostname(int socket, int verify_reverse_mapping)
+get_remote_hostname(int socket, int use_dns)
{
struct sockaddr_storage from;
int i;
@@ -72,6 +72,9 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
+ if (!use_dns)
+ return xstrdup(ntop);
+
if (from.ss_family == AF_INET)
check_ip_options(socket, ntop);
@@ -80,14 +83,24 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
-#if 0
- logit("Could not reverse map address %.100s.", ntop);
-#endif
return xstrdup(ntop);
}
- /* Got host name. */
- name[sizeof(name) - 1] = '\0';
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, "0", &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return xstrdup(ntop);
+ }
+
/*
* Convert it to all lowercase (which is expected by the rest
* of this software).
@@ -95,9 +108,6 @@ get_remote_hostname(int socket, int verify_reverse_mapping)
for (i = 0; name[i]; i++)
if (isupper(name[i]))
name[i] = tolower(name[i]);
-
- if (!verify_reverse_mapping)
- return xstrdup(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
@@ -180,14 +190,14 @@ check_ip_options(int socket, char *ipaddr)
*/
const char *
-get_canonical_hostname(int verify_reverse_mapping)
+get_canonical_hostname(int use_dns)
{
static char *canonical_host_name = NULL;
- static int verify_reverse_mapping_done = 0;
+ static int use_dns_done = 0;
/* Check if we have previously retrieved name with same option. */
if (canonical_host_name != NULL) {
- if (verify_reverse_mapping_done != verify_reverse_mapping)
+ if (use_dns_done != use_dns)
xfree(canonical_host_name);
else
return canonical_host_name;
@@ -196,11 +206,11 @@ get_canonical_hostname(int verify_reverse_mapping)
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
canonical_host_name = get_remote_hostname(
- packet_get_connection_in(), verify_reverse_mapping);
+ packet_get_connection_in(), use_dns);
else
canonical_host_name = xstrdup("UNKNOWN");
- verify_reverse_mapping_done = verify_reverse_mapping;
+ use_dns_done = use_dns;
return canonical_host_name;
}
@@ -294,11 +304,11 @@ get_remote_ipaddr(void)
}
const char *
-get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping)
+get_remote_name_or_ip(u_int utmp_len, int use_dns)
{
static const char *remote = "";
if (utmp_len > 0)
- remote = get_canonical_hostname(verify_reverse_mapping);
+ remote = get_canonical_hostname(use_dns);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;