Design Issue: Overlong Frames
James M Snell <jasnell@gmail.com> Thu, 09 May 2013 17:28 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D47921F8F4D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 May 2013 10:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.58
X-Spam-Level:
X-Spam-Status: No, score=-10.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NZQWpVBER5L for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 9 May 2013 10:28:19 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id EBA8D21F8FFB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 9 May 2013 10:28:11 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UaUcf-0004Iq-Oe for ietf-http-wg-dist@listhub.w3.org; Thu, 09 May 2013 17:27:17 +0000
Resent-Date: Thu, 09 May 2013 17:27:17 +0000
Resent-Message-Id: <E1UaUcf-0004Iq-Oe@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UaUcU-0004E6-Nv for ietf-http-wg@listhub.w3.org; Thu, 09 May 2013 17:27:06 +0000
Received: from mail-oa0-f47.google.com ([209.85.219.47]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jasnell@gmail.com>) id 1UaUcQ-0005JP-8z for ietf-http-wg@w3.org; Thu, 09 May 2013 17:27:06 +0000
Received: by mail-oa0-f47.google.com with SMTP id m13so991163oag.6 for <ietf-http-wg@w3.org>; Thu, 09 May 2013 10:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=E1XhJhQsrL4ggCGqqnt/AaHLGvHREdAsMouMKaJm294=; b=ZohqSFp2fHVBlds8DwK0cYVw/5ZjBsGSBWEoJMz1+Pl/BCoWagt026mpa3S0I6X7tA /cccu2hRPSAidpl34iZ7FbmAyD3YIf7+yC/Y1eJprgdVcYHR3r8GzafBBFaQXidW84ul 4gco9zpXFj/avh1EF2Ny4pUkYowhQQAZO2o5zG2Z8Zk66HymoGNCDIoHz3AGLpWaIb8F 4kGVWSx8ztk6yNDEPcyYjAMEj5/FPnVkrTPzruWmdWDB8KDAvcAvfK8QSq1IZY0nYAD4 wPwfEvQKzc7kMG0dgs2kxXj7Sof6mEALW34hOE3CUlUYeSKwaKdsB0quuzMAVEsj+CZm fB4A==
X-Received: by 10.182.108.165 with SMTP id hl5mr4825420obb.33.1368120396388; Thu, 09 May 2013 10:26:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.3.137 with HTTP; Thu, 9 May 2013 10:26:16 -0700 (PDT)
From: James M Snell <jasnell@gmail.com>
Date: Thu, 09 May 2013 10:26:16 -0700
Message-ID: <CABP7RbewOju850tE2GV2U4JZVawGTFGoWoYF7LaofGdKcXYqZg@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.219.47; envelope-from=jasnell@gmail.com; helo=mail-oa0-f47.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.702, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UaUcQ-0005JP-8z 9c74bde613f598470b7fa7852d3d151d
X-Original-To: ietf-http-wg@w3.org
Subject: Design Issue: Overlong Frames
Archived-At: <http://www.w3.org/mid/CABP7RbewOju850tE2GV2U4JZVawGTFGoWoYF7LaofGdKcXYqZg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17909
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
In going through a number of issues relating to frame sizes, I note that the spec currently does not deal with the issue of "overlong" or padded frames. That is, what happens if a frame contains more data than what is explicitly called for in it's definition. For instance, the GOAWAY frame currently defines it's payload as a 32-bit error code. What happens if that frame contains more than 32-bits? .. e.g. 00 40 07 00 00 00 00 00 0A BC DE FF FF FF FF FF An implementation that is not being careful could completely miss the extra junk bytes here. For GOAWAY it's obviously not too much of a concern, but the risk for abuse exists for all frames that define a specific structure for the payload data. Recommendation: Adding a short statement that a PROTOCOL_ERROR MUST be returned if a frame contains more bytes than what is expressly specified in the frame definition. - James
- Design Issue: Overlong Frames James M Snell
- Re: Design Issue: Overlong Frames Martin Thomson
- Re: Design Issue: Overlong Frames Martin Thomson
- Re: Design Issue: Overlong Frames James M Snell
- Re: Design Issue: Overlong Frames James M Snell
- Re: Design Issue: Overlong Frames William Chan (ιζΊζ)
- Re: Design Issue: Overlong Frames James M Snell
- Re: Design Issue: Overlong Frames James M Snell
- Re: Design Issue: Overlong Frames Martin Thomson
- Re: Design Issue: Overlong Frames James M Snell