Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation) from James M Snell on 2013-10-21 (ietf-http-wg@w3.org from October to December 2013)

From: James M Snell <jasnell@gmail.com>
Date: Mon, 21 Oct 2013 12:49:36 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: ietf-http-wg@w3.org, Frédéric Kayser <f.kayser@free.fr>, Roberto Peon <grmocg@gmail.com>, Fred Akalin <akalin@google.com>
Message-ID: <CABP7RbfNgm9VLNoMZTwHv+VsoNs=RnSZDXSLCu0cZOGOuS+vxg@mail.gmail.com>

Offering some sound advice in the security considerations is certainly
worthwhile.
On Oct 21, 2013 10:25 AM, "Martin Thomson" <martin.thomson@gmail.com> wrote:

> On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote:
> > I think it's worth mentioning explicit upper bounds in the spec.
> Something
> > like any decoded varint must fit in 32 bits.
>
> I don't think that it makes sense to have a single maximum.  Fitting
> the result into 32bits might be a nice goal, but that requires that
> you use only 6 octets of encoded length and make sure that it fits the
> mask 0xff 0x80 0xC0 0xff 0xff 0x0f.  Or maybe 0xff 0x80 0xC0 0xff 0xff
> 0x0f7 if you are sign-bit averse.  But only if that last byte has the
> 0x08 or 0x04 bit set.  That is yucky.  The alternative leaves you
> vulnerable to other attacks, especially the one where you get a long
> series of 0x80 bytes.
>
> https://github.com/http2/http2-spec/pull/291
>
>

Received on Monday, 21 October 2013 19:50:03 UTC