Minor com.sun.jndi.dns cleanup

Florian Weimer fweimer at redhat.com
Mon Feb 17 20:01:12 UTC 2014

On 02/17/2014 08:47 PM, Alan Bateman wrote:
> On 17/02/2014 16:22, Florian Weimer wrote:
>> Mailman ate the attachment, so I put it up here:
>> <http://fweimer.fedorapeople.org/openjdk/jndi-dns-loop/>
>> Note that other implementations fixed this as CVE-2000-0333 a long
>> time ago, but due to the lack of tail call optimization and reliable
>> stack overflow detection, this is currently not a security
>> vulnerability in OpenJDK (not even an endless loop).
> This looks good to me.  I just wonder if InvalidNameException is the
> right NamingException for this case. Would CommunicationException with
> an IOException as cause be more suitable?

DnsName throws InvalidNameException for names that exceed the 255 octet 
limit of DNS, and I followed that precedent.  Looking at the 
InvalidNameException documentation, I understand why you think another 
exception might be better here.  In the DnsName case, the same exception 
is used for parsing user-supplied strings and data from the wire, and 
strictly speaking, InvalidNameException should be used only in the 
former case.

If we are picky about exceptions, we should also wrap those 

> For the test then we need to add a @bug line with a bug for this (I'll
> create a bug).  A the test is a negative test then maybe ParsingErrors
> might be be a better name.

It contains positive tests as well, to rule out that the change hasn't 
complete broken things.  Should I split this test into two different files?

Florian Weimer / Red Hat Product Security Team

More information about the core-libs-dev mailing list