Date: Thu, 31 Dec 1998 11:00:01 -0800 (PST) From: "Jasper O'Malley" <jooji@neptune.oceancomputer.com> To: freebsd-bugs@FreeBSD.ORG Subject: Re: bin/9226: telnetd can log wrong IP address to utmp Message-ID: <199812311900.LAA27384@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR bin/9226; it has been noted by GNATS.
From: "Jasper O'Malley" <jooji@neptune.oceancomputer.com>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc: Subject: Re: bin/9226: telnetd can log wrong IP address to utmp
Date: Thu, 31 Dec 1998 13:54:50 -0500 (EST)
I've got a patch for src/libexec/telnetd/telnetd.c (in addition to my
other patch already submitted for src/libexec/telnetd/sys_term.c) that
does reverse-forward double-checking of source IP addresses before it
passes the hostname argument to "login -h". If a forward lookup of the
hostname generated by a reverse lookup of the IP address from the socket
object doesn't result in that same IP address, the original IP address is
what gets logged to utmp, not the bogus hostname, and not a bogus IP
address. As usual, any connection from a host with an IP address that
reverse resolves to a hostname longer than 16 characters is logged to utmp
with the IP address.
The first patch (necessary to completely close the hole) should be
earlier in the audit trail for this PR.
Here's the second:
*** /usr/src/libexec/telnetd/telnetd.c Sun May 3 12:33:32 1998
--- telnetd.c Thu Dec 31 13:45:26 1998
***************
*** 771,776 ****
--- 771,778 ----
{
char *host = NULL;
struct hostent *hp;
+ char **p = NULL;
+ char temp_host_name[MAXHOSTNAMELEN];
int ptynum;
/*
***************
*** 821,827 ****
Please contact your net administrator");
} else if (hp &&
(strlen(hp->h_name) <= ((utmp_len < 0) ? -utmp_len : utmp_len))) {
! host = hp->h_name;
} else {
host = inet_ntoa(who->sin_addr);
}
--- 823,852 ----
Please contact your net administrator");
} else if (hp &&
(strlen(hp->h_name) <= ((utmp_len < 0) ? -utmp_len : utmp_len))) {
!
! /* Here we check the validity of the hostname resolved with *
! * the gethostbyaddr() above. If a gethostbyname() resolves *
! * to the same IP address we used to do the gethostbyaddr() *
! * the hostname is valid. If not, pass the original address *
! * on to be logged into utmp */
!
! strncpy(temp_host_name, hp->h_name, sizeof(temp_host_name)-1);
! temp_host_name[sizeof(temp_host_name)-1] = 0;
! hp = gethostbyname(temp_host_name);
! host = inet_ntoa(who->sin_addr); /* default to log IP */
! if (hp != NULL) {
! p = hp->h_addr_list;
! while(1) {
! if (*p == 0) /* no addresses match */
! break;
! if (!bcmp(*p, &who->sin_addr,
! (size_t)hp->h_length)) { /* match */
! host = temp_host_name;
! break;
! }
! ++p;
! }
! }
} else {
host = inet_ntoa(who->sin_addr);
}
[end patch]
Cheers,
Mick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812311900.LAA27384>