Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation) from Martin Thomson on 2013-10-21 (ietf-http-wg@w3.org from October to December 2013)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Oct 2013 14:15:18 -0700
To: Fred Akalin <akalin@google.com>
Cc: Roberto Peon <grmocg@gmail.com>, Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWyrgr9r4rxRramF1rJjeFp15CNGrNywqsDv7_jK=UFCA@mail.gmail.com>

On 21 October 2013 14:03, Fred Akalin <akalin@google.com> wrote:
> I'm not sure I see the problem. While decoding a varint, you have to keep
> track of amount to right-shift the low 7 bits of the next octet. You can
> then check if doing so would overflow 32 bits, and abort if so.

If you want to use all the 32 bits, then you have to check what bits are set.

The bigger problem is the extra 2^N-1 you are required to add (255 for
an 8-bit prefix), which will cause an overflow if you aren't careful.
Hence the tricky little mask I used...

Received on Monday, 21 October 2013 21:15:46 UTC