You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #720 (closes #716 item 5) added a >255-byte hostname guard in Common/source/tcpverbs.c::tcp_address_to_name (the POSIX path). During /gate review, the bar-raiser flagged a sibling bug at Common/source/WinSockNetEvents.c:1419:
copyctopstring(h->h_name, domainName);
gethostbyname()'s h_name is unbounded by spec (limited by the resolver, easily > 255 bytes with long PTR/CNAME chains, NIS/LDAP-sourced names, or attacker-controlled reverse DNS). The ignored return value means a silent truncation — same identity-confusion threat model as #716 item 5.
Current State
WinSockNetEvents.c is the Windows port. It is not currently linked into the headless frontier-cli build (verified — no references in frontier-cli/Makefile or anywhere under frontier-cli/). So this is not a live bug today.
Desired Outcome
If/when the Windows path is revived (e.g., Windows port of headless Frontier, Windows-specific CLI build, full-app Windows revival), apply the same fix pattern PR #720 used for the POSIX path:
Rationale
PR #720 (closes #716 item 5) added a >255-byte hostname guard in
Common/source/tcpverbs.c::tcp_address_to_name(the POSIX path). During /gate review, the bar-raiser flagged a sibling bug atCommon/source/WinSockNetEvents.c:1419:gethostbyname()'sh_nameis unbounded by spec (limited by the resolver, easily > 255 bytes with long PTR/CNAME chains, NIS/LDAP-sourced names, or attacker-controlled reverse DNS). The ignored return value means a silent truncation — same identity-confusion threat model as #716 item 5.Current State
WinSockNetEvents.cis the Windows port. It is not currently linked into the headlessfrontier-clibuild (verified — no references infrontier-cli/Makefileor anywhere underfrontier-cli/). So this is not a live bug today.Desired Outcome
If/when the Windows path is revived (e.g., Windows port of headless Frontier, Windows-specific CLI build, full-app Windows revival), apply the same fix pattern PR #720 used for the POSIX path:
copyctopstring's post-copyctopstring: silent truncation + buffer overflow risk on >255-byte input #707 boolean returnlog_warnwith the IP but NOT the hostname (attacker-controlled string would be a log-injection vector)Reference implementation:
Common/source/tcpverbs.c::tcp_address_to_name_pack(added in PR #720).Exit Criteria
WinSockNetEvents.c:1419Context
Common/source/tcpverbs.c::tcp_address_to_name_pack(post-fix(#716): item 5 — bound >255-byte hostname in tcp_address_to_name #720)frontier-cli/window_registry.c:116,Common/source/langerror.c:163(PR fix(#716): parseerror signature now const char *; drop Pascal-string laundering #718),Common/source/shellsysverbs.c::getenvironmentvariablefunc(PR fix(#716): item 3 — document headless getenv path; refactor legacy guard #719)