[Previous] [Next] [Index]
[Thread]
Re: _DNS_ security problems
>API's should do reasonable things with illegal inputs
Perhaps, but taken to some extreme this goes against the spirit of C.
What should the following do?
fclose(NULL)l
strcpy(NULL, "abc");
sprintf(buff, "%s");
>syslog(), being an API, should do reasonable things with unreasonable
>inputs.
Sendmail, being a program that takes arbitrary input from the network,
should not ship it around to other API's blndly.
>The resolver routines, being an API, should do reasonable things with
>unreasonable inputs.
To the extent that the underlying DNS allows this, yes. Doing forward
checks after gethostbyaddr is *not* the job of the of the API. If
you think otherwise then you need to go learn more about DNS and what
security/integrity guarantees it does, and does not, provide.
> but to call it anything but a pitfall is clearly specious.
At least for the DNS case (gethostbyaddr/gethostbyname), you do not know
what you are talking about. Sorry to be blunt, and perhaps rude, but
it's true.
I think this is my last word on this subject. :)
/r$
Follow-Ups: