In _yp_dobind(), if we find ourselves required to contact the local ypbind

directly in order to obtain binding information, check that the local
ypbind is using a reserved port and return YPERR_YPBIND if it isn't.
We should not trust any ypbind running on a port >= IPPORT_RESERVED;
it may have been started by a malicious user hoping to trick us into
talking to a bogus ypserv.

Note that we do not check the ypserv port returned to us from ypbind.
It is assumed that ypbind has already done a reserved port test (or not,
depending on whether or not it was started with -s); if we trust the
authenticity of the local ypbind, we should also trust its judgement.

Obtained from: OpenBSD

1 files changed, 18 insertions, 0 deletions

diff --git a/lib/libc/yp/yplib.c b/lib/libc/yp/yplib.c
index 72f57e9..e83f69a 100644
--- a/lib/libc/yp/yplib.c
+++ b/lib/libc/yp/yplib.c
@@ -369,6 +369,17 @@ skipit:
 			return (YPERR_YPBIND);
 		}
 
+		/*
+		 * Check the port number -- should be < IPPORT_RESERVED.
+		 * If not, it's possible someone has registered a bogus
+		 * ypbind with the portmapper and is trying to trick us.
+		 */
+		if (ntohs(clnt_sin.sin_port) >= IPPORT_RESERVED) {
+			clnt_destroy(client);
+			if (new)
+				free(ysd);
+			return(YPERR_YPBIND);
+		}
 		tv.tv_sec = _yplib_timeout/2;
 		tv.tv_usec = 0;
 		r = clnt_call(client, YPBINDPROC_DOMAIN,
@@ -400,6 +411,13 @@ skipit:
 			*(u_short *)&ypbr.ypbind_resp_u.ypbind_bindinfo.ypbind_binding_port;
 		ysd->dom_server_addr.sin_addr.s_addr =
 			*(u_long *)&ypbr.ypbind_resp_u.ypbind_bindinfo.ypbind_binding_addr;
+
+		/*
+		 * We could do a reserved port check here too, but this
+		 * could pose compatibility problems. The local ypbind is
+		 * supposed to decide whether or not to trust yp servers
+		 * on insecure ports. For now, we trust its judgement.
+		 */
 		ysd->dom_server_port =
 			*(u_short *)&ypbr.ypbind_resp_u.ypbind_bindinfo.ypbind_binding_port;
 gotit: