ASN.1, the toxic gift that keeps on giving...
Jeremy Allison
jra at samba.org
Tue May 3 20:13:41 UTC 2016
On Tue, May 03, 2016 at 04:05:34PM -0400, Simo wrote:
> On Tue, 2016-05-03 at 12:08 -0700, Jeremy Allison wrote:
> > Nice to know it's not only us who can never get
> > ASN.1 right...
> >
> > https://www.openssl.org/news/secadv/20160503.txt
> >
> > "ASN.1 encoding the value zero
> > represented as a negative integer can cause a buffer underflow
> > with an out-of-bounds write in i2c_ASN1_INTEGER."
> >
> > WHY WOULD YOU CREATE A PROTOCOL THAT ALLOWS ZERO
> > ENCODED AS A NEGATIVE INTEGER ?!?!?!?!?!?!?
> >
> > Never mind, another 40+ years and *maybe* the
> > ASN.1 parsers will be secure.
>
> I have to say, even with all these nasty gifts, I like ASN.1 better
> then the alternatives.
Too complex to live. ONC-RPC is at the limits
of human complexity IMHO and is small enough
to be safely written.
Despite what Ronnie used to say, there is no
need to send a cicular linked list over the
network :-).
> There I said it, I am ready for the Asylum :-)
You were ready a long, long time ago Simo :-).
In the cell next to mine :-).
More information about the samba-technical
mailing list