On 02/17/2014 08:47 PM, Alan Bateman wrote:
On 17/02/2014 16:22, Florian Weimer wrote:
Mailman ate the attachment, so I put it up here:
<http://fweimer.fedorapeople.org/openjdk/jndi-dns-loop/>
Note that other implementations fixed this as CVE-2000-0333 a long
time ago, but due to the lack of tail call optimization and reliable
stack overflow detection, this is currently not a security
vulnerability in OpenJDK (not even an endless loop).
This looks good to me. I just wonder if InvalidNameException is the
right NamingException for this case. Would CommunicationException with
an IOException as cause be more suitable?
DnsName throws InvalidNameException for names that exceed the 255 octet
limit of DNS, and I followed that precedent. Looking at the
InvalidNameException documentation, I understand why you think another
exception might be better here. In the DnsName case, the same exception
is used for parsing user-supplied strings and data from the wire, and
strictly speaking, InvalidNameException should be used only in the
former case.
If we are picky about exceptions, we should also wrap those
ArrayIndexOutOfBoundsExceptions.
For the test then we need to add a @bug line with a bug for this (I'll
create a bug). A the test is a negative test then maybe ParsingErrors
might be be a better name.
It contains positive tests as well, to rule out that the change hasn't
complete broken things. Should I split this test into two different files?
--
Florian Weimer / Red Hat Product Security Team
