Add Itojun's CAVEATS section.

author: millert <> 2004-12-20 22:33:09 +0000
committer: millert <> 2004-12-20 22:33:09 +0000
commit: 1162f5676951c2e5a415889f56385c0663c2f6fd (patch)
tree: 595348c97ea7f2879d7ee23c921de4017faf9ea4 /src/lib/libc
parent: 04593fd1f06297315cafac4b57721e20b09013c7 (diff)
download: openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.tar.gz
openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.tar.bz2
openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.zip
1 files changed, 55 insertions, 1 deletions
diff --git a/src/lib/libc/net/getnameinfo.3 b/src/lib/libc/net/getnameinfo.3
index 9085ff6971..050ec5a442 100644
--- a/src/lib/libc/net/getnameinfo.3
+++ b/src/lib/libc/net/getnameinfo.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: getnameinfo.3,v 1.32 2004/12/20 22:30:10 millert Exp $
+.\"     $OpenBSD: getnameinfo.3,v 1.33 2004/12/20 22:33:09 millert Exp $
 .\"
 .\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001  Internet Software Consortium.
@@ -197,6 +197,60 @@ function is defined by the
 draft specification and documented in
 .Tn "RFC 2553" ,
 .Dq Basic Socket Interface Extensions for IPv6 .
+.Sh CAVEATS
+.Fn getnameinfo
+can return both numeric and FQDN forms of the address specified in
+.Fa sa .
+There is no return value that indicates whether the string returned in
+.Fa host
+is a result of binary to numeric-text translation (like
+.Xr inet_ntop 3 ) ,
+or is the result of a DNS reverse lookup.
+Because of this, malicious parties could set up a PTR record as follows:
+.Bd -literal -offset indent
+1.0.0.127.in-addr.arpa. IN PTR  10.1.1.1
+.Ed
+.Pp
+and trick the caller of
+.Fn getnameinfo
+into believing that
+.Fa sa
+is
+.Li 10.1.1.1
+when it is actually
+.Li 127.0.0.1 .
+.Pp
+To prevent such attacks, the use of
+.Dv NI_NAMEREQD
+is recommended when you use the result of
+.Fn getnameinfo
+for access control purposes:
+.Bd -literal -offset indent
+struct sockaddr *sa;
+socklen_t salen;
+char addr[NI_MAXHOST];
+struct addrinfo hints, *res;
+int error;
+error = getnameinfo(sa, salen, addr, sizeof(addr),
+    NULL, 0, NI_NAMEREQD);
+if (error == 0) {
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+        hints.ai_flags = AI_NUMERICHOST;
+        if (getaddrinfo(addr, "0", &hints, &res) == 0) {
+                /* malicious PTR record */
+                freeaddrinfo(res);
+                printf("bogus PTR record\\n");
+                return -1;
+        }
+        /* addr is FQDN as a result of PTR lookup */
+} else {
+        /* addr is numeric string */
+        error = getnameinfo(sa, salen, addr, sizeof(addr),
+            NULL, 0, NI_NUMERICHOST);
+}
+.Ed
 .Sh BUGS
 Due to the use of dynamic allocation,
 .Fn getaddrinfo
author	millert <>	2004-12-20 22:33:09 +0000
committer	millert <>	2004-12-20 22:33:09 +0000
commit	1162f5676951c2e5a415889f56385c0663c2f6fd (patch)
tree	595348c97ea7f2879d7ee23c921de4017faf9ea4 /src/lib/libc
parent	04593fd1f06297315cafac4b57721e20b09013c7 (diff)
download	openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.tar.gz openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.tar.bz2 openbsd-1162f5676951c2e5a415889f56385c0663c2f6fd.zip

diff --git a/src/lib/libc/net/getnameinfo.3 b/src/lib/libc/net/getnameinfo.3 index 9085ff6971..050ec5a442 100644 --- a/src/lib/libc/net/getnameinfo.3 +++ b/src/lib/libc/net/getnameinfo.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: getnameinfo.3,v 1.32 2004/12/20 22:30:10 millert Exp $	1	.\" $OpenBSD: getnameinfo.3,v 1.33 2004/12/20 22:33:09 millert Exp $
2	.\"	2	.\"
3	.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")	3	.\" Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
4	.\" Copyright (C) 2000, 2001 Internet Software Consortium.	4	.\" Copyright (C) 2000, 2001 Internet Software Consortium.
@@ -197,6 +197,60 @@ function is defined by the
197	draft specification and documented in	197	draft specification and documented in
198	.Tn "RFC 2553" ,	198	.Tn "RFC 2553" ,
199	.Dq Basic Socket Interface Extensions for IPv6 .	199	.Dq Basic Socket Interface Extensions for IPv6 .
		200	.Sh CAVEATS
		201	.Fn getnameinfo
		202	can return both numeric and FQDN forms of the address specified in
		203	.Fa sa .
		204	There is no return value that indicates whether the string returned in
		205	.Fa host
		206	is a result of binary to numeric-text translation (like
		207	.Xr inet_ntop 3 ) ,
		208	or is the result of a DNS reverse lookup.
		209	Because of this, malicious parties could set up a PTR record as follows:
		210	.Bd -literal -offset indent
		211	1.0.0.127.in-addr.arpa. IN PTR 10.1.1.1
		212	.Ed
		213	.Pp
		214	and trick the caller of
		215	.Fn getnameinfo
		216	into believing that
		217	.Fa sa
		218	is
		219	.Li 10.1.1.1
		220	when it is actually
		221	.Li 127.0.0.1 .
		222	.Pp
		223	To prevent such attacks, the use of
		224	.Dv NI_NAMEREQD
		225	is recommended when you use the result of
		226	.Fn getnameinfo
		227	for access control purposes:
		228	.Bd -literal -offset indent
		229	struct sockaddr *sa;
		230	socklen_t salen;
		231	char addr[NI_MAXHOST];
		232	struct addrinfo hints, *res;
		233	int error;
		234
		235	error = getnameinfo(sa, salen, addr, sizeof(addr),
		236	NULL, 0, NI_NAMEREQD);
		237	if (error == 0) {
		238	memset(&hints, 0, sizeof(hints));
		239	hints.ai_socktype = SOCK_DGRAM; /dummy/
		240	hints.ai_flags = AI_NUMERICHOST;
		241	if (getaddrinfo(addr, "0", &hints, &res) == 0) {
		242	/* malicious PTR record */
		243	freeaddrinfo(res);
		244	printf("bogus PTR record\\n");
		245	return -1;
		246	}
		247	/* addr is FQDN as a result of PTR lookup */
		248	} else {
		249	/* addr is numeric string */
		250	error = getnameinfo(sa, salen, addr, sizeof(addr),
		251	NULL, 0, NI_NUMERICHOST);
		252	}
		253	.Ed
200	.Sh BUGS	254	.Sh BUGS
201	Due to the use of dynamic allocation,	255	Due to the use of dynamic allocation,
202	.Fn getaddrinfo	256	.Fn getaddrinfo