- /*
- * Do a forward lookup of the hostname. This is unnecessary if we
- * are initiating the connection, but is very serious if we are
- * receiving. We want to make sure the hostname
- * resolves back to the remote ip for security reasons.
- */
- if ((he = gethostbyname(rh->hostname)) == NULL) {
- secprintf(("%s: udp: bb\n", debug_prefix_time(NULL)));
- security_seterror(&rh->sech,
- "%s: could not resolve hostname", rh->hostname);
- return (-1);
- }
-
- /*
- * Make sure the hostname matches. This should always work.
- */
- if (strncasecmp(rh->hostname, he->h_name, strlen(rh->hostname)) != 0) {
- secprintf(("%s: udp: cc\n", debug_prefix_time(NULL)));
- security_seterror(&rh->sech,
- "%s: did not resolve to itself, it resolv to",
- rh->hostname, he->h_name);
- return (-1);
- }
-
- /*
- * Now look for a matching ip address.
- */
- for (i = 0; he->h_addr_list[i] != NULL; i++) {
- if (memcmp(&rh->peer.sin_addr, he->h_addr_list[i],
- SIZEOF(struct in_addr)) == 0) {
- break;
- }
- }
-
- /*
- * If we didn't find it, try the aliases. This is a workaround for
- * Solaris if DNS goes over NIS.
- */
- if (he->h_addr_list[i] == NULL) {
- const char *ipstr = inet_ntoa(rh->peer.sin_addr);
- for (i = 0; he->h_aliases[i] != NULL; i++) {
- if (strcmp(he->h_aliases[i], ipstr) == 0)
- break;
- }
- /*
- * No aliases either. Failure. Someone is fooling with us or
- * DNS is messed up.
- */
- if (he->h_aliases[i] == NULL) {
- security_seterror(&rh->sech,
- "DNS check failed: no matching ip address for %s",
- rh->hostname);
- return (-1);
- }
- }