|
 |
4be148 |
commit b562400826409deceb0d52ffbe6570670ee9db55
|
|
|
4be148 |
Author: Nalin Dahyabhai <nalin@dahyabhai.net>
|
|
|
4be148 |
Date: Wed Oct 9 15:03:16 2013 -0400
|
|
|
4be148 |
|
|
|
4be148 |
Don't check kpasswd reply address
|
|
|
4be148 |
|
|
|
4be148 |
Don't check the address of the kpasswd server when parsing the reply
|
|
|
4be148 |
we received from it. If the server's address was modified by a proxy
|
|
|
4be148 |
or other network element, the user will be incorrectly warned that the
|
|
|
4be148 |
password change failed when it succeeded. The check is unnecessary as
|
|
|
4be148 |
the kpasswd protocol is not subject to a reflection attack.
|
|
|
4be148 |
|
|
|
4be148 |
[ghudson@mit.edu: edit commit message]
|
|
|
4be148 |
|
|
|
4be148 |
ticket: 7886 (new)
|
|
|
4be148 |
|
|
|
4be148 |
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
|
|
|
4be148 |
index 462910f..4d8abd9 100644
|
|
|
4be148 |
--- a/src/lib/krb5/os/changepw.c
|
|
|
4be148 |
+++ b/src/lib/krb5/os/changepw.c
|
|
|
4be148 |
@@ -214,7 +214,6 @@ change_set_password(krb5_context context,
|
|
|
4be148 |
krb5_data *result_string)
|
|
|
4be148 |
{
|
|
|
4be148 |
krb5_data chpw_rep;
|
|
|
4be148 |
- krb5_address remote_kaddr;
|
|
|
4be148 |
krb5_boolean use_tcp = 0;
|
|
|
4be148 |
GETSOCKNAME_ARG3_TYPE addrlen;
|
|
|
4be148 |
krb5_error_code code = 0;
|
|
|
4be148 |
@@ -272,26 +271,6 @@ change_set_password(krb5_context context,
|
|
|
4be148 |
break;
|
|
|
4be148 |
}
|
|
|
4be148 |
|
|
|
4be148 |
- if (remote_addr.ss_family == AF_INET) {
|
|
|
4be148 |
- remote_kaddr.addrtype = ADDRTYPE_INET;
|
|
|
4be148 |
- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
|
|
|
4be148 |
- remote_kaddr.contents =
|
|
|
4be148 |
- (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
|
|
|
4be148 |
- } else if (remote_addr.ss_family == AF_INET6) {
|
|
|
4be148 |
- remote_kaddr.addrtype = ADDRTYPE_INET6;
|
|
|
4be148 |
- remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
|
|
|
4be148 |
- remote_kaddr.contents =
|
|
|
4be148 |
- (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
|
|
|
4be148 |
- } else {
|
|
|
4be148 |
- break;
|
|
|
4be148 |
- }
|
|
|
4be148 |
-
|
|
|
4be148 |
- if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
|
|
|
4be148 |
- callback_ctx.auth_context,
|
|
|
4be148 |
- NULL,
|
|
|
4be148 |
- &remote_kaddr)))
|
|
|
4be148 |
- break;
|
|
|
4be148 |
-
|
|
|
4be148 |
code = krb5int_rd_chpw_rep(callback_ctx.context,
|
|
|
4be148 |
callback_ctx.auth_context,
|
|
|
4be148 |
&chpw_rep, &local_result_code,
|