From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: caml-list@sympa.inria.fr Delivered-To: caml-list@sympa.inria.fr Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by sympa.inria.fr (Postfix) with ESMTPS id 2FA1D7EF08 for ; Fri, 12 Jun 2015 10:41:02 +0200 (CEST) X-IronPort-AV: E=Sophos;i="5.13,601,1427752800"; d="scan'208";a="164764580" Received: from meleze.ens.fr (HELO [129.199.99.114]) ([129.199.99.114]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES128-SHA; 12 Jun 2015 10:41:02 +0200 Message-ID: <557A9B1E.9010407@inria.fr> Date: Fri, 12 Jun 2015 10:41:02 +0200 From: Francois Berenger User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: caml-list@inria.fr References: <20150612052738.GA3684@pllab.is.ocha.ac.jp> <557A8CBB.5050306@inria.fr> In-Reply-To: <557A8CBB.5050306@inria.fr> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Caml-list] Marshall.from_channel and segmentation fault On 06/12/2015 09:39 AM, Romain Bardou wrote: > On 12/06/2015 07:27, Kenichi Asai wrote: >> The OCaml manual for the Marshall module says: >> >>> (Marshal.from_channel chan : type). Anything can happen at run-time >>> if the object in the file does not belong to the given type. >> >> and this "Anything" contains segmentation fault. Is it difficult to >> avoid this segmentation fault and, e.g., raise an exception instead? >> >> Sincerely, >> > > You have to check that you will not dereference invalid pointers. > Basically you need to type-check the value at runtime before using it. > If you have a runtime representation of the type of your value, you may > be able to do so using Obj. But if you have a runtime representation of > the type, Marshal suddenly becomes less interesting as you can use this > representation to guide serialization anyway. > > Because of this, Marshal is mostly used when one knows through other > means that only values of the right type are deserialized. This means > that Marshal should not be used for network applications where the > remote peer cannot be trusted to always send values of the right type. > An attacker could send an ill-formed value to crash the server, You could first check a message authentication code before trying to unmarshall. Given that the secret key to cryptographically signed messages is only known to authorized members of the communication group, an attacker would not be able to inject messages into your system without you detecting it and not trying to unmarshall from them. > for > instance. Or, the remote peer may simply not be up-to-date and use other > types for its values. > > Marshal is better suited to saving data locally. It will still fail if > one tries to use values from another application or another version of > the same application with incompatible types. In other words it will not > be backward compatible when types change, so Marshal is better suited > for temporary files. For instance, .cmi files are marshaled values, if > I'm not mistaken. > > To sum up: yes, it is difficult. > > Cheers, > -- Regards, Francois. "When in doubt, use more types"