X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/be8bd99aa47295aa0b52b5052f530dcb27c63975..a6d8c3f336deebfff152e1d3f6d646ba1dc59eea:/clientname.c diff --git a/clientname.c b/clientname.c index 66020525..caf0af6c 100644 --- a/clientname.c +++ b/clientname.c @@ -43,6 +43,7 @@ char *client_addr(int fd) { struct sockaddr_storage ss; socklen_t length = sizeof ss; + char *ssh_client, *p; static char addr_buf[100]; static int initialised; @@ -50,11 +51,20 @@ char *client_addr(int fd) initialised = 1; - client_sockaddr(fd, &ss, &length); + if ((ssh_client = getenv("SSH_CLIENT")) != NULL) { + strlcpy(addr_buf, ssh_client, sizeof(addr_buf)); + /* truncate SSH_CLIENT to just IP address */ + p = strchr(addr_buf, ' '); + if (p) + *p = '\0'; + else + strlcpy(addr_buf, "0.0.0.0", sizeof("0.0.0.0")); + } else + client_sockaddr(fd, &ss, &length); getnameinfo((struct sockaddr *)&ss, length, - addr_buf, sizeof(addr_buf), NULL, 0, NI_NUMERICHOST); - + addr_buf, sizeof(addr_buf), NULL, 0, NI_NUMERICHOST); + return addr_buf; } @@ -74,11 +84,12 @@ static int get_sockaddr_family(const struct sockaddr_storage *ss) * If anything goes wrong, including the name->addr->name check, then * we just use "UNKNOWN", so you can use that value in hosts allow * lines. + * + * After translation from sockaddr to name we do a forward lookup to + * make sure nobody is spoofing PTR records. **/ char *client_name(int fd) { - struct sockaddr_storage ss; - socklen_t ss_len = sizeof ss; static char name_buf[100]; static char port_buf[100]; static int initialised; @@ -88,10 +99,40 @@ char *client_name(int fd) strcpy(name_buf, default_name); initialised = 1; - client_sockaddr(fd, &ss, &ss_len); + if (getenv("SSH_CLIENT") != NULL) { + /* Look up name of IP address given in $SSH_CLIENT */ +#ifdef INET6 + int af = AF_INET6; + struct sockaddr_in6 sin; +#else + int af = AF_INET; + struct sockaddr_in sin; +#endif + socklen_t sin_len = sizeof sin; - if (!lookup_name(fd, &ss, ss_len, name_buf, sizeof name_buf, port_buf, sizeof port_buf)) - check_name(fd, &ss, name_buf, port_buf); + memset(&sin, 0, sin_len); + +#ifdef INET6 + sin.sin6_family = af; + inet_pton(af, client_addr(fd), &sin.sin6_addr.s6_addr); +#else + sin.sin_family = af; + inet_pton(af, client_addr(fd), &sin.sin_addr.s_addr); +#endif + + if (!lookup_name(fd, (struct sockaddr_storage *)&sin, sin_len, + name_buf, sizeof name_buf, port_buf, sizeof port_buf)) + check_name(fd, (struct sockaddr_storage *)&sin, name_buf); + } else { + struct sockaddr_storage ss; + socklen_t ss_len = sizeof ss; + + client_sockaddr(fd, &ss, &ss_len); + + if (!lookup_name(fd, &ss, ss_len, name_buf, sizeof name_buf, + port_buf, sizeof port_buf)) + check_name(fd, &ss, name_buf); + } return name_buf; } @@ -149,6 +190,8 @@ void client_sockaddr(int fd, /** * Look up a name from @p ss into @p name_buf. + * + * @param fd file descriptor for client socket. **/ int lookup_name(int fd, const struct sockaddr_storage *ss, socklen_t ss_len, @@ -226,11 +269,14 @@ int compare_addrinfo_sockaddr(const struct addrinfo *ai, * @p ss -- otherwise we may be being spoofed. If we suspect we are, * then we don't abort the connection but just emit a warning, and * change @p name_buf to be "UNKNOWN". + * + * We don't do anything with the service when checking the name, + * because it doesn't seem that it could be spoofed in any way, and + * getaddrinfo on random service names seems to cause problems on AIX. **/ int check_name(int fd, const struct sockaddr_storage *ss, - char *name_buf, - const char *port_buf) + char *name_buf) { struct addrinfo hints, *res, *res0; int error; @@ -240,7 +286,7 @@ int check_name(int fd, hints.ai_family = ss_family; hints.ai_flags = AI_CANONNAME; hints.ai_socktype = SOCK_STREAM; - error = getaddrinfo(name_buf, port_buf, &hints, &res0); + error = getaddrinfo(name_buf, NULL, &hints, &res0); if (error) { rprintf(FERROR, RSYNC_NAME ": forward name lookup for %s failed: %s\n",