Don't do (unsafe) DNS reverse lookups.

HEADS UP: May break some Kerberos deployments.

diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 2d63291ae78187001c1921e5be7499c60fbedf5b..a6f940107cb7265adb074b2df14de63c9e6c8c74 100644 (file)
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -441,7 +441,8 @@ LDAP_F (int) ldap_connect_to_host( LDAP *ld, Sockbuf *sb,
 #if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) || \
        defined(HAVE_TLS) || defined(HAVE_CYRUS_SASL)
 LDAP_V (char *) ldap_int_hostname;
-LDAP_F (char *) ldap_host_connected_to( Sockbuf *sb );
+LDAP_F (char *) ldap_host_connected_to( Sockbuf *sb,
+       const char *host );
 #endif
 
 LDAP_F (void) ldap_int_ip_init( void );

diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
index ea51f91c0a55b49fff47e1c140c0a85b0a9749b5..2b27a9ac3f746ac1be842d13fc0ab565a8974292 100644 (file)
--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -280,7 +280,7 @@ ldap_int_open_connection(
                                LBER_SBIOD_LEVEL_PROVIDER, NULL );
 
 #ifdef HAVE_CYRUS_SASL
-                       sasl_host = ldap_host_connected_to( conn->lconn_sb );
+                       sasl_host = ldap_host_connected_to( conn->lconn_sb, host );
 #endif
                        break;
 
@@ -327,7 +327,7 @@ ldap_int_open_connection(
                                LBER_SBIOD_LEVEL_PROVIDER, NULL );
 
 #ifdef HAVE_CYRUS_SASL
-                       sasl_host = ldap_host_connected_to( conn->lconn_sb );
+                       sasl_host = ldap_host_connected_to( conn->lconn_sb, "localhost" );
 #endif
                        break;
 #endif /* LDAP_PF_LOCAL */
@@ -383,7 +383,8 @@ ldap_int_open_connection(
 #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
        if ( conn->lconn_krbinstance == NULL ) {
                char *c;
-               conn->lconn_krbinstance = ldap_host_connected_to( conn->lconn_sb );
+               conn->lconn_krbinstance = ldap_host_connected_to(
+                       conn->lconn_sb, host );
 
                if( conn->lconn_krbinstance != NULL && 
                    ( c = strchr( conn->lconn_krbinstance, '.' )) != NULL ) {

diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index ccd24b6db7348f03b764d9b045c8cfce3cb3d3bf..5d097e415ffb2c80f692b3c732655d9d56bab88d 100644 (file)
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -506,7 +506,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
 #if defined( LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND ) || \
        defined( HAVE_CYRUS_SASL )
 char *
-ldap_host_connected_to( Sockbuf *sb )
+ldap_host_connected_to( Sockbuf *sb, const char *host )
 {
        socklen_t               len;
 #ifdef LDAP_PF_INET6
@@ -515,8 +515,6 @@ ldap_host_connected_to( Sockbuf *sb )
        struct sockaddr sabuf;
 #endif
        struct sockaddr *sa = (struct sockaddr *) &sabuf;
-       char                    *host = NULL, *herr;
-       char hbuf[NI_MAXHOST];
        int rc;
        ber_socket_t    sd;
 
@@ -579,14 +577,21 @@ ldap_host_connected_to( Sockbuf *sb )
                break;
        }
 
-       hbuf[0] = 0;
-       if (ldap_pvt_get_hname( sa, len, hbuf, sizeof(hbuf), &herr ) == 0 &&
-               hbuf[0] ) 
+#if 0
        {
-               host = LDAP_STRDUP( hbuf );   
+               char *herr;
+               char hbuf[NI_MAXHOST];
+               hbuf[0] = 0;
+
+               if (ldap_pvt_get_hname( sa, len, hbuf, sizeof(hbuf), &herr ) == 0
+                       && hbuf[0] ) 
+               {
+                       return LDAP_STRDUP( hbuf );   
+               }
        }
+#endif
 
-       return host;
+       return host ? LDAP_STRDUP( host ) : NULL;
 }
 #endif