From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA06145; Wed, 6 Mar 2002 11:59:25 +0100 (MET) X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f Received: from concorde.inria.fr (concorde.inria.fr [192.93.2.39]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id LAA05527 for ; Wed, 6 Mar 2002 11:59:24 +0100 (MET) Received: from pauillac.inria.fr (pauillac.inria.fr [128.93.11.35]) by concorde.inria.fr (8.11.1/8.11.1) with ESMTP id g26AxML16475; Wed, 6 Mar 2002 11:59:22 +0100 (MET) Received: (from xleroy@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id LAA04991; Wed, 6 Mar 2002 11:59:22 +0100 (MET) Date: Wed, 6 Mar 2002 11:59:22 +0100 From: Xavier Leroy To: Charles Martin Cc: caml-list@inria.fr Subject: Re: [Caml-list] Does Marshal handle malicious data? Message-ID: <20020306115922.B4830@pauillac.inria.fr> References: <5.1.0.14.0.20020305145423.0288b5b0@192.168.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <5.1.0.14.0.20020305145423.0288b5b0@192.168.0.1>; from joelisp@yahoo.com on Tue, Mar 05, 2002 at 02:56:25PM -0800 Sender: owner-caml-list@pauillac.inria.fr Precedence: bulk > Will the standard Marshal library correctly generate an exception > for malicious data? Or is it possible that it will cause a core > dump, read past end of string, etc? No, unmarshaling is not hardened against bad data (except checking the initial magic number). So, corrupted data can cause all the bad things that you mentioned (core dump, etc). Gracefully recovering from bad data could be implemented, but at significant run-time cost. An alternative is to use message authentication codes and the like to guarantee the integrity of the data. - Xavier Leroy ------------------- To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/ Beginner's list: http://groups.yahoo.com/group/ocaml_beginners