netbsd-bugs: Re: lib/30402: libwrap access control does not work when RBL is used

Subject: Re: lib/30402: libwrap access control does not work when RBL is used
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Julian Coleman <jdc@coris.org.uk>
List: netbsd-bugs
Date: 12/06/2005 12:30:01

The following reply was made to PR lib/30402; it has been noted by GNATS.

From: Julian Coleman <jdc@coris.org.uk>
To: yu@installer.org, gnats-bugs@netbsd.org
Cc: 
Subject: Re: lib/30402: libwrap access control does not work when RBL is used
Date: Tue, 6 Dec 2005 12:29:15 +0000

 > libwrap's RBL support ("{RBL}.domain" specification) makes wrong DNS queries.
 > To check whether "aaa.bbb.ccc.ddd" is in "rbl.example.org", we have to build
 > query:
 >   1. reverse IP address part (to "ddd.ccc.bbb.aaa") 
 >   2. append RBL domain part(".rbl.example.org")
 > In the current source, 1 is forgotten, and the query becomes "aaa.bbb.ccc.ddd.rbl.example.org".  So access restrictions do not work adequately.
 
 > >Fix:
 > 	
 > --- hosts_access.c	26 Dec 2002 12:53:59 -0000	1.17
 > +++ hosts_access.c	2 Jun 2005 11:45:31 -0000
 > @@ -327,10 +327,10 @@
 >  	/* NOTREACHED */
 >      }
 >      snprintf(rbl_name, len, "%u.%u.%u.%u.%s",
 > -	    (unsigned int) ((host_address) & 0xff),
 > -	    (unsigned int) ((host_address >> 8) & 0xff),
 > -	    (unsigned int) ((host_address >> 16) & 0xff),
 >  	    (unsigned int) ((host_address >> 24) & 0xff),
 > +	    (unsigned int) ((host_address >> 16) & 0xff),
 > +	    (unsigned int) ((host_address >> 8) & 0xff),
 > +	    (unsigned int) ((host_address) & 0xff),
 >  	    rbl_domain);
 >      /* look it up */
 >      if (gethostbyname(rbl_name) != NULL) {
 
 If I add {RBL}.rbl.example.org lines to my hosts.allow on a big-endian
 machine (sparc64) and connect, I see correct DNS queries.  So, it looks
 like an endian issue.
 
 Instead of re-ordering the lines as you have done in the patch, can you
 try using ntohl() instead?
 
  - - - 
 
 --- hosts_access.c.dist	2002-12-26 12:53:59.000000000 +0000
 +++ hosts_access.c	2005-12-06 12:26:31.000000000 +0000
 @@ -321,6 +321,7 @@
  	tcpd_warn("unable to convert %s to address", rbl_hostaddr);
  	return (NO);
      }
 +    host_address = ntohl(host_address);
      /*  construct the rbl name to look up */
      if ((rbl_name = malloc(len)) == NULL) {
  	tcpd_jump("not enough memory to build RBL name for %s in %s", rbl_hostaddr, rbl_domain);
 
  - - - 
 
 J
 
 -- 
   My other computer also runs NetBSD    /        Sailing at Newbiggin
         http://www.netbsd.org/        /   http://www.newbigginsailingclub.org/