[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LSD0001 review

From: Maxime Devos
Subject: Re: LSD0001 review
Date: Thu, 10 Feb 2022 23:26:00 +0100
User-agent: Evolution 3.38.3-1

Schanzenbach, Martin schreef op ma 07-02-2022 om 19:02 [+0000]:
> > >     A UTF-8 string (which is not 0-terminated) representing the
> > > legacy hostname.
> > 
> > What happens if it contaings \0, or ends with two dots, does that
> mean
> > the LEHO record is invalid and must be rejected?  If it is in
> punycode,
> > why say ‘A UTF-8 string’ instead of ’an ASCII string’?
> It is not in punycode. It is just a UTF-8 string.
> Why is it not 0-terminated? TBH I am not sure, probably to save a
> byte :)

Some context on this question about nul characters.

Consider a C application that is asked to contact http://i.hate.c,
a website about the use of "\0" in C software.  i.hate.c has a LEHO
record with value "foo\" (and some VPN or AAAA record).

Perhaps the HTTP spec disallows \0 in the "Host" header,
and the C application hence gives some kind of error message
about not being able to contact i.hate.c.  No problem in this case.

Perhaps the C applications assumes that GNS will only return ‘proper’
hostnames, add a \0 to the end of the record, and
use strlen("foo\") (= 3) to determine how large a buffer needs
to be calculated, and copy "foo\" (the whole thing of size 12
(including terminating\0)) into the buffer that's only of size 3,
resulting in a buffer overflow.

(Variants of) the second scenario seems plausible to me.

As such, I would recommend forbidding \0 bytes in GNS,
or mentioning problems involving \0 in a section ‘Security


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]