W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation)

From: Fred Akalin <akalin@google.com>
Date: Mon, 21 Oct 2013 14:03:46 -0700
Message-ID: <CANUYc_QCH3T57RkA_iH9BQX7WsTs33d0B8PGhr4KkWgKY6PC3g@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Roberto Peon <grmocg@gmail.com>, Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
I'm not sure I see the problem. While decoding a varint, you have to keep
track of amount to right-shift the low 7 bits of the next octet. You can
then check if doing so would overflow 32 bits, and abort if so.

On Mon, Oct 21, 2013 at 10:23 AM, Martin Thomson
<martin.thomson@gmail.com>wrote:

> On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote:
> > I think it's worth mentioning explicit upper bounds in the spec.
> Something
> > like any decoded varint must fit in 32 bits.
>
> I don't think that it makes sense to have a single maximum.  Fitting
> the result into 32bits might be a nice goal, but that requires that
> you use only 6 octets of encoded length and make sure that it fits the
> mask 0xff 0x80 0xC0 0xff 0xff 0x0f.  Or maybe 0xff 0x80 0xC0 0xff 0xff
> 0x0f7 if you are sign-bit averse.  But only if that last byte has the
> 0x08 or 0x04 bit set.  That is yucky.  The alternative leaves you
> vulnerable to other attacks, especially the one where you get a long
> series of 0x80 bytes.
>
> https://github.com/http2/http2-spec/pull/291
>
Received on Monday, 21 October 2013 21:04:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:18 UTC