> On 15 Apr 2021, at 17:28, Paul Vixie <p...@redbarn.org> wrote: > >>>> I don't think it's entirely fair to blame the coders who make these >>>> mistakes, because a very large number of excellent programmers have >>>> made a mess of DNS name decompression. ... > > i shipped the crap in question as late as 1998, and excellence wasn't the > problem. in this field at that time, crap was the norm, and this crap was > better than most -- "excellent" if you will, by the standards of the day. > > this is not that day, and while crap may still be an internet norm, it is > no longer excellent. here are some of the things you can be sure of: > > 1. somebody wrote or copied this code in C and didn't red-team it > 2. somebody copied this code without tracking where they copied it from > > so, freebsd was unfairly maligned in the forescout report on this event; > the bug was in their dhcp client, not their dns or "tcp/ip stack", and > had been fixed 20 years late but still six months ago.
The freebsd code still isn’t correct "if (0xc0 & len) {" != "if ((0xc0 & len) == 0xc0) {“ which is the correct test for a compression pointer. The frustrating part is that it could have all been done safely with libresolv rather than reinventing the wheel. The pain had already been taken with libresolv. > everything else on that list was properly and fairly maligned, and ought > to be grounds to wonder what other code those vendors have written or > copied in C, without red-teaming it, and without tracking later changes. > >>>> It seems worthwhile to try to help future coders not to mess it up. > > as a technology action, sure. but we've got to stop writing crap generally > not just in decoders. that means red-teaming things before they go out, > and only dealing with vendors who can afford to do this. (C, having as it > does no bounds checking, allows any pointer to be wild -- So Expect That.) > > "as long as people write parsers, > and connect them to the internet, > i'll have work." --anon > > -- > Paul Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop