[gnutls-devel] GnuTLS | Fix timeout in gnutls_idna_parser_fuzzer (!881)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Sat Jan 19 20:42:35 CET 2019


In general, I am against putting such limits into a library function (maybe someone wants to wait hours or days for a result). But in this case someone could possibly use it as a DOS attack.

- We have to investigate the code in libidn2 (I did a while ago, but don't remember the results).
- The ASCII / punycode form of a domain is limited to 253 characters. Better: the limit is due to DNS constraints. There are ASCII representations that are shorter than their UCS4 representation in terms of characters, but I don't know the corner cases / limits. The UTF-8 representation could be up to 4x longer (in terms of bytes). Put another 2x and you have a nice limit of 2048 chars for the input.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/merge_requests/881#note_133029868
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190119/9ac34abc/attachment.html>


More information about the Gnutls-devel mailing list