[krbdev.mit.edu #8809] Do not call getaddrinfo() with invalid hostnames
Greg Hudson via RT
rt at KRBDEV-PROD-APP-1.mit.edu
Tue Mar 31 02:12:18 EDT 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8809 >
On Fri May 24 01:37:41 2019, jaltman at secure-endpoints.com wrote:
gss-krb5 when passed a two component acceptor name passes the second
component to getaddrinfo() to canonicalize it. While it is often the case
that the second component of a service name is a hostname, it is not always
a hostname.
Apologies for letting this sit for a year and then coming back with an
argument, but: does it make sense to use GSS_C_NT_HOSTBASED_SERVICE when the
second part of the name isn't a hostname? RFC 2743 section 4.1 is pretty clear
that the second part is a hostname. Would it be better to import using
GSS_KRB5_NT_PRINCIPAL_NAME?
More information about the krb5-bugs
mailing list