From: Nalin Dahyabhai Date: Wed, 9 Oct 2013 19:03:16 +0000 (-0400) Subject: Don't check kpasswd reply address X-Git-Tag: krb5-1.13-alpha1~174 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b562400826409deceb0d52ffbe6570670ee9db55;p=thirdparty%2Fkrb5.git Don't check kpasswd reply address Don't check the address of the kpasswd server when parsing the reply we received from it. If the server's address was modified by a proxy or other network element, the user will be incorrectly warned that the password change failed when it succeeded. The check is unnecessary as the kpasswd protocol is not subject to a reflection attack. [ghudson@mit.edu: edit commit message] ticket: 7886 (new) --- diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 462910f6ba..4d8abd9d57 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -214,7 +214,6 @@ change_set_password(krb5_context context, krb5_data *result_string) { krb5_data chpw_rep; - krb5_address remote_kaddr; krb5_boolean use_tcp = 0; GETSOCKNAME_ARG3_TYPE addrlen; krb5_error_code code = 0; @@ -272,26 +271,6 @@ change_set_password(krb5_context context, break; } - if (remote_addr.ss_family == AF_INET) { - remote_kaddr.addrtype = ADDRTYPE_INET; - remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); - remote_kaddr.contents = - (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; - } else if (remote_addr.ss_family == AF_INET6) { - remote_kaddr.addrtype = ADDRTYPE_INET6; - remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); - remote_kaddr.contents = - (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; - } else { - break; - } - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, - NULL, - &remote_kaddr))) - break; - code = krb5int_rd_chpw_rep(callback_ctx.context, callback_ctx.auth_context, &chpw_rep, &local_result_code,