Minor com.sun.jndi.dns cleanup
Florian Weimer
fweimer at redhat.com
Mon Feb 17 20:01:12 UTC 2014
On 02/17/2014 08:47 PM, Alan Bateman wrote:
> On 17/02/2014 16:22, Florian Weimer wrote:
>>
>> Mailman ate the attachment, so I put it up here:
>>
>> <http://fweimer.fedorapeople.org/openjdk/jndi-dns-loop/>
>>
>> Note that other implementations fixed this as CVE-2000-0333 a long
>> time ago, but due to the lack of tail call optimization and reliable
>> stack overflow detection, this is currently not a security
>> vulnerability in OpenJDK (not even an endless loop).
>>
> This looks good to me. I just wonder if InvalidNameException is the
> right NamingException for this case. Would CommunicationException with
> an IOException as cause be more suitable?
DnsName throws InvalidNameException for names that exceed the 255 octet
limit of DNS, and I followed that precedent. Looking at the
InvalidNameException documentation, I understand why you think another
exception might be better here. In the DnsName case, the same exception
is used for parsing user-supplied strings and data from the wire, and
strictly speaking, InvalidNameException should be used only in the
former case.
If we are picky about exceptions, we should also wrap those
ArrayIndexOutOfBoundsExceptions.
> For the test then we need to add a @bug line with a bug for this (I'll
> create a bug). A the test is a negative test then maybe ParsingErrors
> might be be a better name.
It contains positive tests as well, to rule out that the change hasn't
complete broken things. Should I split this test into two different files?
--
Florian Weimer / Red Hat Product Security Team
More information about the core-libs-dev
mailing list