krb5 commit: Don't check kpasswd reply address
Greg Hudson
ghudson at MIT.EDU
Thu Mar 20 17:47:35 EDT 2014
https://github.com/krb5/krb5/commit/b562400826409deceb0d52ffbe6570670ee9db55
commit b562400826409deceb0d52ffbe6570670ee9db55
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Wed Oct 9 15:03:16 2013 -0400
Don't check kpasswd reply address
Don't check the address of the kpasswd server when parsing the reply
we received from it. If the server's address was modified by a proxy
or other network element, the user will be incorrectly warned that the
password change failed when it succeeded. The check is unnecessary as
the kpasswd protocol is not subject to a reflection attack.
[ghudson at mit.edu: edit commit message]
ticket: 7886 (new)
src/lib/krb5/os/changepw.c | 21 ---------------------
1 files changed, 0 insertions(+), 21 deletions(-)
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 462910f..4d8abd9 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -214,7 +214,6 @@ change_set_password(krb5_context context,
krb5_data *result_string)
{
krb5_data chpw_rep;
- krb5_address remote_kaddr;
krb5_boolean use_tcp = 0;
GETSOCKNAME_ARG3_TYPE addrlen;
krb5_error_code code = 0;
@@ -272,26 +271,6 @@ change_set_password(krb5_context context,
break;
}
- if (remote_addr.ss_family == AF_INET) {
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
- remote_kaddr.contents =
- (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
- } else if (remote_addr.ss_family == AF_INET6) {
- remote_kaddr.addrtype = ADDRTYPE_INET6;
- remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
- remote_kaddr.contents =
- (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
- } else {
- break;
- }
-
- if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
- callback_ctx.auth_context,
- NULL,
- &remote_kaddr)))
- break;
-
code = krb5int_rd_chpw_rep(callback_ctx.context,
callback_ctx.auth_context,
&chpw_rep, &local_result_code,
More information about the cvs-krb5
mailing list