Re: Security concern about open range integers (was: Question about: 4.1.1 Integer representation)

I'm not sure I see the problem. While decoding a varint, you have to keep
track of amount to right-shift the low 7 bits of the next octet. You can
then check if doing so would overflow 32 bits, and abort if so.

On Mon, Oct 21, 2013 at 10:23 AM, Martin Thomson
<martin.thomson@gmail.com>wrote:

> On 20 October 2013 23:24, Fred Akalin <akalin@google.com> wrote:
> > I think it's worth mentioning explicit upper bounds in the spec.
> Something
> > like any decoded varint must fit in 32 bits.
>
> I don't think that it makes sense to have a single maximum.  Fitting
> the result into 32bits might be a nice goal, but that requires that
> you use only 6 octets of encoded length and make sure that it fits the
> mask 0xff 0x80 0xC0 0xff 0xff 0x0f.  Or maybe 0xff 0x80 0xC0 0xff 0xff
> 0x0f7 if you are sign-bit averse.  But only if that last byte has the
> 0x08 or 0x04 bit set.  That is yucky.  The alternative leaves you
> vulnerable to other attacks, especially the one where you get a long
> series of 0x80 bytes.
>
> https://github.com/http2/http2-spec/pull/291
>

Received on Monday, 21 October 2013 21:04:13 UTC