From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (from majordomo@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id HAA00921; Wed, 6 Mar 2002 07:35:48 +0100 (MET)
X-Authentication-Warning: pauillac.inria.fr: majordomo set sender to owner-caml-list@pauillac.inria.fr using -f
Received: (from weis@localhost) by pauillac.inria.fr (8.7.6/8.7.3) id HAA32630 for caml-list@pauillac.inria.fr; Wed, 6 Mar 2002 07:35:47 +0100 (MET)
Received: from nez-perce.inria.fr (nez-perce.inria.fr [192.93.2.78]) by pauillac.inria.fr (8.7.6/8.7.3) with ESMTP id EAA31193 for <caml-list@pauillac.inria.fr>; Wed, 6 Mar 2002 04:28:54 +0100 (MET)
Received: from sj1-3-4-9.securesites.net (sj1-3-4-9.securesites.net [192.220.127.202])
	by nez-perce.inria.fr (8.11.1/8.11.1) with SMTP id g263Srr01587
	for <caml-list@inria.fr>; Wed, 6 Mar 2002 04:28:53 +0100 (MET)
Received: (qmail 18454 invoked by uid 16863); 6 Mar 2002 03:28:52 -0000
Received: from unknown (HELO localhost) ([192.220.65.223]) (envelope-sender <bpr@bpr.best.vwh.net>)
          by 192.220.65.223 (qmail-ldap-1.03) with SMTP
          for <joelisp@yahoo.com>; 6 Mar 2002 03:28:52 -0000
Date: Wed, 6 Mar 2002 03:28:51 +0000 (GMT)
From: Brian Rogoff <bpr@bpr.best.vwh.net>
To: Charles Martin <joelisp@yahoo.com>
cc: caml-list@inria.fr
Subject: Re: [Caml-list] Does Marshal handle malicious data?
In-Reply-To: <5.1.0.14.0.20020305145423.0288b5b0@192.168.0.1>
Message-ID: <Pine.BSF.4.40.0203060323230.16408-100000@bpr.best.vwh.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-caml-list@pauillac.inria.fr
Precedence: bulk

On Tue, 5 Mar 2002, Charles Martin wrote:
> Will the standard Marshal library correctly generate an exception for
> malicious data?  Or is it possible that it will cause a core dump, read
> past end of string, etc?

You can get a core dump from improper use of marshalling without
"malicious" use. I've had it happen by simply changing a data format and
using the wrong version of the program read it back in.

You can increase the safety by various tricks in your reader, but I don't
think there are any simple idiot proof solutions. I'm a pretty clever
idiot.

-- Brian
-------------------
To unsubscribe, mail caml-list-request@inria.fr Archives: http://caml.inria.fr
Bug reports: http://caml.inria.fr/bin/caml-bugs FAQ: http://caml.inria.fr/FAQ/
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners