From: Francois Berenger <francois.berenger@inria.fr>
To: caml-list@inria.fr
Subject: Re: [Caml-list] Marshall.from_channel and segmentation fault
Date: Fri, 12 Jun 2015 10:41:02 +0200 [thread overview]
Message-ID: <557A9B1E.9010407@inria.fr> (raw)
In-Reply-To: <557A8CBB.5050306@inria.fr>
On 06/12/2015 09:39 AM, Romain Bardou wrote:
> On 12/06/2015 07:27, Kenichi Asai wrote:
>> The OCaml manual for the Marshall module says:
>>
>>> (Marshal.from_channel chan : type). Anything can happen at run-time
>>> if the object in the file does not belong to the given type.
>>
>> and this "Anything" contains segmentation fault. Is it difficult to
>> avoid this segmentation fault and, e.g., raise an exception instead?
>>
>> Sincerely,
>>
>
> You have to check that you will not dereference invalid pointers.
> Basically you need to type-check the value at runtime before using it.
> If you have a runtime representation of the type of your value, you may
> be able to do so using Obj. But if you have a runtime representation of
> the type, Marshal suddenly becomes less interesting as you can use this
> representation to guide serialization anyway.
>
> Because of this, Marshal is mostly used when one knows through other
> means that only values of the right type are deserialized. This means
> that Marshal should not be used for network applications where the
> remote peer cannot be trusted to always send values of the right type.
> An attacker could send an ill-formed value to crash the server,
You could first check a message authentication code before
trying to unmarshall.
Given that the secret key to cryptographically signed messages
is only known to authorized members of the communication group,
an attacker would not be able to inject messages into your system
without you detecting it and not trying to unmarshall from them.
> for
> instance. Or, the remote peer may simply not be up-to-date and use other
> types for its values.
>
> Marshal is better suited to saving data locally. It will still fail if
> one tries to use values from another application or another version of
> the same application with incompatible types. In other words it will not
> be backward compatible when types change, so Marshal is better suited
> for temporary files. For instance, .cmi files are marshaled values, if
> I'm not mistaken.
>
> To sum up: yes, it is difficult.
>
> Cheers,
>
--
Regards,
Francois.
"When in doubt, use more types"
next prev parent reply other threads:[~2015-06-12 8:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-12 5:27 Kenichi Asai
2015-06-12 7:39 ` Romain Bardou
2015-06-12 8:26 ` Kenichi Asai
2015-06-12 8:55 ` Romain Bardou
2015-06-12 8:41 ` Francois Berenger [this message]
2015-06-12 8:38 ` Francois Berenger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=557A9B1E.9010407@inria.fr \
--to=francois.berenger@inria.fr \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).