Schanzenbach, Martin schreef op ma 07-02-2022 om 19:02 [+0000]: > > > LEGACY HOSTNAME > > > A UTF-8 string (which is not 0-terminated) representing the > > > legacy hostname. > > > > What happens if it contaings \0, or ends with two dots, does that > mean > > the LEHO record is invalid and must be rejected? If it is in > punycode, > > why say ‘A UTF-8 string’ instead of ’an ASCII string’? > > It is not in punycode. It is just a UTF-8 string. > Why is it not 0-terminated? TBH I am not sure, probably to save a > byte :)
Some context on this question about nul characters. Consider a C application that is asked to contact http://i.hate.c, a website about the use of "\0" in C software. i.hate.c has a LEHO record with value "foo\0bar.com" (and some VPN or AAAA record). Perhaps the HTTP spec disallows \0 in the "Host" header, and the C application hence gives some kind of error message about not being able to contact i.hate.c. No problem in this case. Perhaps the C applications assumes that GNS will only return ‘proper’ hostnames, add a \0 to the end of the record, and use strlen("foo\0bar.com") (= 3) to determine how large a buffer needs to be calculated, and copy "foo\0bar.com" (the whole thing of size 12 (including terminating\0)) into the buffer that's only of size 3, resulting in a buffer overflow. (Variants of) the second scenario seems plausible to me. As such, I would recommend forbidding \0 bytes in GNS, or mentioning problems involving \0 in a section ‘Security considerations’. Greetings, Maxime.
signature.asc
Description: This is a digitally signed message part