Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation) from Martin Thomson on 2013-10-21 (ietf-http-wg@w3.org from October to December 2013)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 21 Oct 2013 10:23:10 -0700
To: Fred Akalin <akalin@google.com>
Cc: Roberto Peon <grmocg@gmail.com>, Frédéric Kayser <f.kayser@free.fr>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUm-GXAbfz2vHWNYxb66qYC6d0p-J_ijiTWV=L0x8NeuQ@mail.gmail.com>

On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote:
> I think it's worth mentioning explicit upper bounds in the spec. Something
> like any decoded varint must fit in 32 bits.

I don't think that it makes sense to have a single maximum.  Fitting
the result into 32bits might be a nice goal, but that requires that
you use only 6 octets of encoded length and make sure that it fits the
mask 0xff 0x80 0xC0 0xff 0xff 0x0f.  Or maybe 0xff 0x80 0xC0 0xff 0xff
0x0f7 if you are sign-bit averse.  But only if that last byte has the
0x08 or 0x04 bit set.  That is yucky.  The alternative leaves you
vulnerable to other attacks, especially the one where you get a long
series of 0x80 bytes.

https://github.com/http2/http2-spec/pull/291

Received on Monday, 21 October 2013 17:23:37 UTC