I'm not sure I see the problem. While decoding a varint, you have to keep track of amount to right-shift the low 7 bits of the next octet. You can then check if doing so would overflow 32 bits, and abort if so. On Mon, Oct 21, 2013 at 10:23 AM, Martin Thomson <martin.thomson@gmail.com>wrote: > On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote: > > I think it's worth mentioning explicit upper bounds in the spec. > Something > > like any decoded varint must fit in 32 bits. > > I don't think that it makes sense to have a single maximum. Fitting > the result into 32bits might be a nice goal, but that requires that > you use only 6 octets of encoded length and make sure that it fits the > mask 0xff 0x80 0xC0 0xff 0xff 0x0f. Or maybe 0xff 0x80 0xC0 0xff 0xff > 0x0f7 if you are sign-bit averse. But only if that last byte has the > 0x08 or 0x04 bit set. That is yucky. The alternative leaves you > vulnerable to other attacks, especially the one where you get a long > series of 0x80 bytes. > > https://github.com/http2/http2-spec/pull/291 >
Received on Monday, 21 October 2013 21:04:13 UTC