Modified ip_or_dns_addr_safe, which validates pulled DNS names,

to more closely conform to RFC 3696:

* DNS name length must not exceed 255 characters

* DNS name characters must be limited to alphanumeric,
  dash ('-'), and dot ('.')

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3312 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/socket.c b/socket.c
index 4d7c18052d5ed8ec98e09dc9897760e110a5708c..df922a9eb583d3ec47453c96610ce208bc123cbf 100644 (file)
--- a/socket.c
+++ b/socket.c
@@ -294,13 +294,25 @@ ip_addr_dotted_quad_safe (const char *dotted_quad)
   }
 }
 
+static bool
+dns_addr_safe (const char *addr)
+{
+  if (addr)
+    {
+      const size_t len = strlen (addr);
+      return len > 0 && len <= 255 && string_class (addr, CC_ALNUM|CC_DASH|CC_DOT, 0);
+    }
+  else
+    return false;
+}
+
 bool
-ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn)
+ip_or_dns_addr_safe (const char *addr, const bool allow_fqdn)
 {
-  if (ip_addr_dotted_quad_safe (dotted_quad))
+  if (ip_addr_dotted_quad_safe (addr))
     return true;
   else if (allow_fqdn)
-    return string_class (dotted_quad, CC_NAME|CC_DASH|CC_DOT, 0);
+    return dns_addr_safe (addr);
   else
     return false;
 }

diff --git a/socket.h b/socket.h
index b111764885537ad1eb79e87ed7983ca100930b7a..f6ec57067dc87767bb03dc10bb5327ac8edf45ea 100644 (file)
--- a/socket.h
+++ b/socket.h
@@ -399,7 +399,7 @@ int openvpn_inet_aton (const char *dotted_quad, struct in_addr *addr);
 
 /* integrity validation on pulled options */
 bool ip_addr_dotted_quad_safe (const char *dotted_quad);
-bool ip_or_dns_addr_safe (const char *dotted_quad, const bool allow_fqdn);
+bool ip_or_dns_addr_safe (const char *addr, const bool allow_fqdn);
 
 socket_descriptor_t create_socket_tcp (void);