Apply patch from MIT KRB5 GIT tree commit: 043533c2f13d2bc69316.
libgssrpc was ignorant of the remote address of the kadmin socket, even when it's IPv4. This made old-style GSSAPI authentication fail because it uses the wrong channel bindings. Fix this problem by making clnttcp_create() get the remote address from the socket using getpeername() if the caller doesn't provide it and it's an IPv4 address. PR: 160500 Submitted by: Ben Kaduk <kaduk@mit.edu>
This commit is contained in:
Cy Schubert
parent
6d9f6a687c
commit
6fc815c911
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=281304
2 changed files with 22 additions and 0 deletions
|
|
@ -7,6 +7,7 @@
|
|||
|
||||
PORTNAME= krb5
|
||||
PORTVERSION= 1.9.1
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security
|
||||
MASTER_SITES= http://web.mit.edu/kerberos/dist/${PORTNAME}/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/
|
||||
#PATCH_SITES= http://web.mit.edu/kerberos/advisories/
|
||||
|
|
|
|||
21
security/krb5/files/patch-lib-rpc-clnt_tcp.c
Normal file
21
security/krb5/files/patch-lib-rpc-clnt_tcp.c
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
--- lib/rpc/clnt_tcp.c.orig 2011-09-06 02:05:14.000000000 +0000
|
||||
+++ lib/rpc/clnt_tcp.c 2011-09-06 02:10:30.000000000 +0000
|
||||
@@ -187,9 +187,16 @@
|
||||
ct->ct_sock = *sockp;
|
||||
ct->ct_wait.tv_usec = 0;
|
||||
ct->ct_waitset = FALSE;
|
||||
- if (raddr == NULL)
|
||||
- memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
||||
+ if (raddr == NULL) {
|
||||
+ /* Get the remote address from the socket, if it's IPv4. */
|
||||
+ struct sockaddr_in sin;
|
||||
+ socklen_t len = sizeof(sin);
|
||||
+ int ret = getpeername(ct->ct_sock, (struct sockaddr *)&sin, &len);
|
||||
+ if (ret == 0 && len == sizeof(sin) && sin.sin_family == AF_INET)
|
||||
+ ct->ct_addr = sin;
|
||||
else
|
||||
+ memset(&ct->ct_addr, 0, sizeof(ct->ct_addr));
|
||||
+ } else
|
||||
ct->ct_addr = *raddr;
|
||||
|
||||
/*
|
||||
Loading…
Reference in a new issue