Offering some sound advice in the security considerations is certainly
worthwhile.
On Oct 21, 2013 10:25 AM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
> On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote:
> > I think it's worth mentioning explicit upper bounds in the spec.
> Something
> > like any decoded varint must fit in 32 bits.
>
> I don't think that it makes sense to have a single maximum. Fitting
> the result into 32bits might be a nice goal, but that requires that
> you use only 6 octets of encoded length and make sure that it fits the
> mask 0xff 0x80 0xC0 0xff 0xff 0x0f. Or maybe 0xff 0x80 0xC0 0xff 0xff
> 0x0f7 if you are sign-bit averse. But only if that last byte has the
> 0x08 or 0x04 bit set. That is yucky. The alternative leaves you
> vulnerable to other attacks, especially the one where you get a long
> series of 0x80 bytes.
>
> https://github.com/http2/http2-spec/pull/291
>
>