1 files changed, 55 insertions, 1 deletions
diff --git a/src/lib/libc/net/getnameinfo.3 b/src/lib/libc/net/getnameinfo.3
index 03b6149e01..00c70bdb7a 100644
--- a/src/lib/libc/net/getnameinfo.3
+++ b/src/lib/libc/net/getnameinfo.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: getnameinfo.3,v 1.22 2003/08/08 09:26:02 jmc Exp $
+.\"     $OpenBSD: getnameinfo.3,v 1.23 2003/08/28 01:42:18 itojun Exp $
 .\"     $KAME: getnameinfo.3,v 1.20 2001/01/05 13:37:37 itojun Exp $
 .\"
 .\" Copyright (c) 1983, 1987, 1991, 1993
@@ -282,6 +282,60 @@ and documented in
 .Sh HISTORY
 The implementation first appeared in WIDE Hydrangea IPv6 protocol stack kit.
 .\"
+.Sh CAVEATS
+.Nm
+returns both numeric and FQDN notation of the address specified in
+.Fa sa .
+There is no return value that indicates if the string returned in
+.Fa host
+is a result of binary to numeric-text translation (like
+.Xr inet_ntop 3
+), or the result of DNS reverse lookup.
+Therefore, malicious parties could set up PTR record like below:
+.Bd -literal -offset indent
+1.0.0.127.in-addr.arpa. IN PTR  10.1.1.1
+.Ed
+.Pp
+and trick the caller of
+.Nm
+to believe that
+.Fa sa
+is
+.Li 10.1.1.1
+when it actually is
+.Li 127.0.0.1 .
+.Pp
+To prevent such attacks, the use of 
+.Li NI_NAMEREQD
+like below is recommended when you use the result of
+.Nm
+for access control purposes.
+.Bd -literal -offset indent
+struct sockaddr *sa;
+socklen_t salen;
+char addr[NI_MAXHOST];
+struct addrinfo hints, *res;
+error = getnameinfo(sa, salen, addr, sizeof(addr),
+    NULL, 0, NI_NAMEREQD);
+if (error == 0) {
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+        hints.ai_flags = AI_NUMERICHOST;
+        if (getaddrinfo(addr, "0", &hints, &res) == 0) {
+                /* malicious PTR record */
+                freeaddrinfo(res);
+                printf("bogus PTR record\\n");
+                return -1;
+        }
+        /* addr is FQDN as a result of PTR lookup */
+} else {
+        /* addr is numeric string */
+        error = getnameinfo(sa, salen, addr, sizeof(addr),
+            NULL, 0, 0);
+}
+.Ed
+.\"
 .Sh BUGS
 The current implementation is not thread-safe.
 .Pp

diff --git a/src/lib/libc/net/getnameinfo.3 b/src/lib/libc/net/getnameinfo.3 index 03b6149e01..00c70bdb7a 100644 --- a/src/lib/libc/net/getnameinfo.3 +++ b/src/lib/libc/net/getnameinfo.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: getnameinfo.3,v 1.22 2003/08/08 09:26:02 jmc Exp $	1	.\" $OpenBSD: getnameinfo.3,v 1.23 2003/08/28 01:42:18 itojun Exp $
2	.\" $KAME: getnameinfo.3,v 1.20 2001/01/05 13:37:37 itojun Exp $	2	.\" $KAME: getnameinfo.3,v 1.20 2001/01/05 13:37:37 itojun Exp $
3	.\"	3	.\"
4	.\" Copyright (c) 1983, 1987, 1991, 1993	4	.\" Copyright (c) 1983, 1987, 1991, 1993
@@ -282,6 +282,60 @@ and documented in
282	.Sh HISTORY	282	.Sh HISTORY
283	The implementation first appeared in WIDE Hydrangea IPv6 protocol stack kit.	283	The implementation first appeared in WIDE Hydrangea IPv6 protocol stack kit.
284	.\"	284	.\"
		285	.Sh CAVEATS
		286	.Nm
		287	returns both numeric and FQDN notation of the address specified in
		288	.Fa sa .
		289	There is no return value that indicates if the string returned in
		290	.Fa host
		291	is a result of binary to numeric-text translation (like
		292	.Xr inet_ntop 3
		293	), or the result of DNS reverse lookup.
		294	Therefore, malicious parties could set up PTR record like below:
		295	.Bd -literal -offset indent
		296	1.0.0.127.in-addr.arpa. IN PTR 10.1.1.1
		297	.Ed
		298	.Pp
		299	and trick the caller of
		300	.Nm
		301	to believe that
		302	.Fa sa
		303	is
		304	.Li 10.1.1.1
		305	when it actually is
		306	.Li 127.0.0.1 .
		307	.Pp
		308	To prevent such attacks, the use of
		309	.Li NI_NAMEREQD
		310	like below is recommended when you use the result of
		311	.Nm
		312	for access control purposes.
		313	.Bd -literal -offset indent
		314	struct sockaddr *sa;
		315	socklen_t salen;
		316	char addr[NI_MAXHOST];
		317	struct addrinfo hints, *res;
		318
		319	error = getnameinfo(sa, salen, addr, sizeof(addr),
		320	NULL, 0, NI_NAMEREQD);
		321	if (error == 0) {
		322	memset(&hints, 0, sizeof(hints));
		323	hints.ai_socktype = SOCK_DGRAM; /dummy/
		324	hints.ai_flags = AI_NUMERICHOST;
		325	if (getaddrinfo(addr, "0", &hints, &res) == 0) {
		326	/* malicious PTR record */
		327	freeaddrinfo(res);
		328	printf("bogus PTR record\\n");
		329	return -1;
		330	}
		331	/* addr is FQDN as a result of PTR lookup */
		332	} else {
		333	/* addr is numeric string */
		334	error = getnameinfo(sa, salen, addr, sizeof(addr),
		335	NULL, 0, 0);
		336	}
		337	.Ed
		338	.\"
285	.Sh BUGS	339	.Sh BUGS
286	The current implementation is not thread-safe.	340	The current implementation is not thread-safe.
287	.Pp	341	.Pp