[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Demexp-dev] New version of XDR RFC & some comments related to demexp
From: |
David MENTRE |
Subject: |
[Demexp-dev] New version of XDR RFC & some comments related to demexp |
Date: |
Sat, 20 May 2006 09:41:42 +0200 |
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.4 (gnu/linux) |
Hello,
A new version of the IETF's RFC defining XDR has been published:
http://www.rfc-editor.org/rfc/rfc4506.txt
No major modification has been made:
"""
2. Changes from RFC 1832
This document makes no technical changes to RFC 1832 and is published
for the purposes of noting IANA considerations, augmenting security
considerations, and distinguishing normative from informative
references.
"""
Regarding security aspects, here are my comments:
"""
8. Security Considerations
[...]
Care must be take to properly encode and decode data to avoid
attacks. Known and avoidable risks include:
* Buffer overflow attacks. Where feasible, protocols should be
defined with explicit limits (via the "<" [ value ] ">" notation
instead of "<" ">") on elements with variable-length data types.
Regardless of the feasibility of an explicit limit on the
variable length of an element of a given protocol, decoders need
to ensure the incoming size does not exceed the length of any
provisioned receiver buffers.
"""
I have tried to define in all cases an explicit limit on elements'
size.
"""
* Nul octets embedded in an encoded value of type string.
"""
OCaml is not sensitive to this kind of issue.
"""
* Decoding of characters in strings that are legal ASCII
characters but nonetheless are illegal for the intended
application.
"""
That might be an issue in the future, especially related to
classification or links.
"""
* Denial of service caused by recursive decoder or encoder
subroutines.
"""
I trust Gerd to have correctly programmed the XDR decoder. I haven't
checked his code.
Of course, anybody is free to make an independent review of the
code. :-)
Best wishes,
d.
--
pub 1024D/A3AD7A2A 2004-10-03 David MENTRE <address@hidden>
5996 CC46 4612 9CA4 3562 D7AC 6C67 9E96 A3AD 7A2A
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Demexp-dev] New version of XDR RFC & some comments related to demexp,
David MENTRE <=