On Wed, 13 Nov 2019, Niall O'Reilly wrote:
Ah! We should probably A) fix that and refuse such names with zero labels
and B) update the used host names in the test...
I think I’ve covered item A as a side effect while working on prefix support.
https://github.com/niallor/curl/commit/228633becd613b4c9e329117bb20d850f6418c8a
Is this worth a PR yet? Or an issue?
It might be worth splitting out and fixing in a separate pull-request, sure!
Maybe that check could then also be amended to verify that the input host name
isn't longer than 253 bytes or whatever RFC 1035 dicates.
For item B, I think a more elaborate test will be needed. I’m not sure
what’s needed.
I think it primarily needs a valid input name (no zero length labels) that
is longer than the given output buffer, as that test tries to verify that the
boundary checks for that are fine and causes no overwrite.
--
/ daniel.haxx.se | Get the best commercial curl support there is - from me
| Private help, bug fixes, support, ports, new features
| https://www.wolfssl.com/contact/-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
