[Freeciv-Dev] Re: Hostname lookups again.
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Tue, 19 Sep 2000, Jarda Benkovsky wrote:
> Gaute B Strokkenes wrote:
> > Actually checking the length field of the look-up (when we've already
> > ascertained that it's AF_INET) might be a bit anal, but why not.
>
> Definitely not too anal! You should check it to prevent remote exploits
Read my lips :-)
gethostbyname() is a libc call to resolver, which calls DNS. If the
resolver and libc don't catch the bug. Then i'm sorry. But if we were to
painstakingly test for each bug/security problem in libc then you'd have
to test *everything*. Why not parse sprintf()'s output string to check
some malicious exploit is making you not output numbers correctly, etc.
Happy? :-)
---
Vasco Alexandre da Silva Costa @ Instituto Superior Tecnico, Lisboa
- [Freeciv-Dev] Hostname lookups again., Gaute B Strokkenes, 2000/09/18
- [Freeciv-Dev] Re: Hostname lookups again., Vasco Alexandre Da Silva Costa, 2000/09/18
- [Freeciv-Dev] Re: Hostname lookups again., Vasco Alexandre Da Silva Costa, 2000/09/19
- [Freeciv-Dev] Re: Hostname lookups again., Gaute B Strokkenes, 2000/09/19
- [Freeciv-Dev] Re: Hostname lookups again., Vasco Alexandre Da Silva Costa, 2000/09/19
- [Freeciv-Dev] Re: Hostname lookups again., Gaute B Strokkenes, 2000/09/20
- [Freeciv-Dev] Re: Hostname lookups again., Gaute B Strokkenes, 2000/09/21
|
|
