Annotation of dietlibc/SECURITY, revision 1.2
1.1 fefe 1: The diet libc was written with small code and embedded devices in mind,
2: not with security for network servers.
3:
4: Of course we still try to avoid buffer overflows, but there are some
5: parts of the code where tradeoffs have been made. This file is meant to
6: document them.
7:
8: 1. The DNS routines do not check whether the answer came from the IP
1.2 ! fefe 9: of the DNS server. The rationale is that people who can sniff the
! 10: network to find out the query, source port and DNS sequence number
! 11: can also spoof DNS packets to appear to come from the server we
! 12: asked, so it does not actually increase security to have that
! 13: check.
LinuxTV legacy CVS <linuxtv.org/cvs>