IETF Logo Mail Archive

Re: [hybi] [Technical Errata Reported] RFC6455 (4184)

Barry Leiba <barryleiba@computer.org> Thu, 04 December 2014 19:33 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74F9F1A02BE for <hybi@ietfa.amsl.com>; Thu, 4 Dec 2014 11:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POV87m9VlDP3 for <hybi@ietfa.amsl.com>; Thu, 4 Dec 2014 11:33:10 -0800 (PST)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1A91A0177 for <hybi@ietf.org>; Thu, 4 Dec 2014 11:33:09 -0800 (PST)
Received: by mail-la0-f54.google.com with SMTP id pv20so10349788lab.13 for <hybi@ietf.org>; Thu, 04 Dec 2014 11:33:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=pvI6N5O/Wbk2027wRZpzHzwIRIN/SJ9qW7fTbREnjYI=; b=Ke1ls184wMKXK4bZeAPdH1RpW2iO1J9ZnJ22N/LANa9hWCqckVORlIXw3AshIffh+8 T/1EemHYM5hI9lBNkklf4jATR8YqB2kpus1OnWF5MC5MPjaKfx0fWK3UtPt86x83hePl iJUIDKMI7BHIX0f5UYy9RI2++4SIRuy+a0/7WQMJGKzg0nQR/qJbxKQpkX9GbcZPihiA EeZaSlrkgwiDoXM7gImAv4f0Mw7q7f8kzXrP6Vyr1TEeVfw2XmijfF3IQfHPiWEbNY3S kuQaxmo7zmaRbtjGa0KCSm2wzi1axj5YQnKYx/C13xpfszJFSzVqN93adobeJsWIJq3g gkGw==
MIME-Version: 1.0
X-Received: by 10.112.166.74 with SMTP id ze10mr11112694lbb.68.1417721587734; Thu, 04 Dec 2014 11:33:07 -0800 (PST)
Sender: barryleiba@gmail.com
Received: by 10.152.127.168 with HTTP; Thu, 4 Dec 2014 11:33:07 -0800 (PST)
In-Reply-To: <D0A60BAF.1C012%jhall@futuresouth.us>
References: <CAC4RtVC6ecN302Wj+iCR0CZ8yN5tVYSOD=XX2Lm7zR-9hAxzVw@mail.gmail.com> <D0A60BAF.1C012%jhall@futuresouth.us>
Date: Thu, 04 Dec 2014 14:33:07 -0500
X-Google-Sender-Auth: C8pfncy9l88C114b3LH2-spM2W4
Message-ID: <CALaySJKoskLqx9WExQpE4XKsvmCuKnxqnJnz0n=krMghvywVYg@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Jonathan Hall <jhall@futuresouth.us>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/hybi/s9lANrXj9LcNeuOrTrPVQaTdGgI
Cc: Pete Resnick <presnick@qti.qualcomm.com>, "hybi@ietf.org" <hybi@ietf.org>, "ifette+ietf@google.com" <ifette+ietf@google.com>, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Subject: Re: [hybi] [Technical Errata Reported] RFC6455 (4184)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi/>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2014 19:33:12 -0000

> My apologies for using the errata system to report this. This is the first
> time I¹ve worked with commenting or giving opinions on RFC¹s, so I
> appreciate the guidance on proper processes and channels for submitting
> such information. I¹ve taken note of your advice and will be sure to use
> the mailing list from this point forward for any
> comments/questions/concerns discovered during implementation.

Great; no need to apologize: it would be good if we had more
information about how to comment on RFCs when errata reports aren't
the best way.  And thanks for understanding.

I encourage you to continue the discussion on the hybi list.  (Please
start a separate discussion thread, and trim the extra folks off the
distribution list... just keep <hybi@ietf.org>.)

I'm off to close out the errata report now.

Barry

> The reason I found the notes I submitted to be of value is because I have
> actually seen implementations that are taking the specified length of the
> frame and allocating memory for it without verifying the length of the
> actual payload data being received in that frame. A successful memory
> consumption PoC was written by an individual who tested it initially
> against a library that was somewhat popular at the time. I felt that the
> document was overall very straight forward and concise, but did leave the
> opportunity for someone to make a similar mistake pertaining to fragmented
> frames. But the more I think about it, the mistake could also be made with
> acceptance of frames in general. That is to say, if a frame specifies the
> payload is X amount of bytes, but the payload is really Y amount of bytes,
> one should - in their implementation - check to ensure the payload length
> actually does match the purported length of the payload in the frame. In
> the implementations I did encounter, the only time they accepted a frame
> that the frame-payload-length did not match the length of the actual raw
> payload was when the fin bit was set to 0. The only thing I could
> attribute that mistake to was a misunderstanding or misinterpretation of
> the RFC.
>
> Thank you everyone who has participated in this discussion and followed up
> on it.
>
> Jonathan D. Hall
>
> Future South Technologies
> www.futuresouth.us
> (504) 470-3748 ­ [main]
> (504) 232-3306 ­  [cell]
>
>
> Life is a dream for the wise, a game for the fool, a comedy for the rich
> and a tragedy for the poor.
>
>
>
>
>
>
> On 12/4/14, 12:59 PM, "Barry Leiba" <barryleiba@computer.org> wrote:
>
>>> Thanks, Jonathan, for the report.  But first, let me say something
>>> about what the errata system is for:
>>> The errata system is meant for recording errors in specifications that
>>> would have been considered errors at the time of publication, but that
>>> got missed in the reviews.  It is not meant to record things that
>>> we've discovered *since* publication, in trying to implement the spec.
>>> Gaps in the spec that were discovered in the process of implementation
>>> aren't fodder for errata reports, but absolutely should be discussed
>>> on the <hybi@ietf.org> mailing list.
>>>
>>> So: My sense is that this report is in that latter category.  Yes?
>>> Perhaps work should be done on a document update, but I don't think
>>> this is errata material.
>>
>>I haven't seen a response to this.  I'm going to give it until Monday,
>>8 Dec, before I mark this as Rejected, with a note recommending
>>discussion of these points on the hybi mailing list.
>>
>>Barry, Applications AD
>>
>>> On Mon, Nov 17, 2014 at 3:38 PM, RFC Errata System
>>> <rfc-editor@rfc-editor.org> wrote:
>>>> The following errata report has been submitted for RFC6455,
>>>> "The WebSocket Protocol".
>>>>
>>>> --------------------------------------
>>>> You may review the report below and at:
>>>> http://www.rfc-editor.org/errata_search.php?rfc=6455&eid=4184
>>>>
>>>> --------------------------------------
>>>> Type: Technical
>>>> Reported by: Jonathan Hall <jhall@futuresouth.us>
>>>>
>>>> Section: 5.4
>>>>
>>>> Original Text
>>>> -------------
>>>> 5.4.  Fragmentation
>>>>
>>>>    The primary purpose of fragmentation is to allow sending a message
>>>>    that is of unknown size when the message is started without having
>>>>to
>>>>    buffer that message.  If messages couldn't be fragmented, then an
>>>>    endpoint would have to buffer the entire message so its length could
>>>>    be counted before the first byte is sent.  With fragmentation, a
>>>>    server or intermediary may choose a reasonable size buffer and, when
>>>>    the buffer is full, write a fragment to the network.
>>>>
>>>>    A secondary use-case for fragmentation is for multiplexing, where it
>>>>    is not desirable for a large message on one logical channel to
>>>>    monopolize the output channel, so the multiplexing needs to be free
>>>>    to split the message into smaller fragments to better share the
>>>>    output channel.  (Note that the multiplexing extension is not
>>>>    described in this document.)
>>>>
>>>>    Unless specified otherwise by an extension, frames have no semantic
>>>>    meaning.  An intermediary might coalesce and/or split frames, if no
>>>>    extensions were negotiated by the client and the server or if some
>>>>    extensions were negotiated, but the intermediary understood all the
>>>>    extensions negotiated and knows how to coalesce and/or split frames
>>>>    in the presence of these extensions.  One implication of this is
>>>>that
>>>>    in absence of extensions, senders and receivers must not depend on
>>>>    the presence of specific frame boundaries.
>>>>
>>>>    The following rules apply to fragmentation:
>>>>
>>>>    o  An unfragmented message consists of a single frame with the FIN
>>>>       bit set (Section 5.2) and an opcode other than 0.
>>>>
>>>>    o  A fragmented message consists of a single frame with the FIN bit
>>>>       clear and an opcode other than 0, followed by zero or more frames
>>>>       with the FIN bit clear and the opcode set to 0, and terminated by
>>>>       a single frame with the FIN bit set and an opcode of 0.  A
>>>>       fragmented message is conceptually equivalent to a single larger
>>>>       message whose payload is equal to the concatenation of the
>>>>       payloads of the fragments in order; however, in the presence of
>>>>       extensions, this may not hold true as the extension defines the
>>>>       interpretation of the "Extension data" present.  For instance,
>>>>       "Extension data" may only be present at the beginning of the
>>>>first
>>>>       fragment and apply to subsequent fragments, or there may be
>>>>       "Extension data" present in each of the fragments that applies
>>>>       only to that particular fragment.  In the absence of "Extension
>>>>       data", the following example demonstrates how fragmentation
>>>>works.
>>>>
>>>>       EXAMPLE: For a text message sent as three fragments, the first
>>>>       fragment would have an opcode of 0x1 and a FIN bit clear, the
>>>>       second fragment would have an opcode of 0x0 and a FIN bit clear,
>>>>       and the third fragment would have an opcode of 0x0 and a FIN bit
>>>>       that is set.
>>>>
>>>>    o  Control frames (see Section 5.5) MAY be injected in the middle of
>>>>       a fragmented message.  Control frames themselves MUST NOT be
>>>>       fragmented.
>>>>
>>>>    o  Message fragments MUST be delivered to the recipient in the order
>>>>       sent by the sender.
>>>>
>>>>    o  The fragments of one message MUST NOT be interleaved between the
>>>>       fragments of another message unless an extension has been
>>>>       negotiated that can interpret the interleaving.
>>>>
>>>>    o  An endpoint MUST be capable of handling control frames in the
>>>>       middle of a fragmented message.
>>>>
>>>>    o  A sender MAY create fragments of any size for non-control
>>>>       messages.
>>>>
>>>>    o  Clients and servers MUST support receiving both fragmented and
>>>>       unfragmented messages.
>>>>
>>>>    o  As control frames cannot be fragmented, an intermediary MUST NOT
>>>>       attempt to change the fragmentation of a control frame.
>>>>
>>>>    o  An intermediary MUST NOT change the fragmentation of a message if
>>>>       any reserved bit values are used and the meaning of these values
>>>>       is not known to the intermediary.
>>>>
>>>>    o  An intermediary MUST NOT change the fragmentation of any message
>>>>       in the context of a connection where extensions have been
>>>>       negotiated and the intermediary is not aware of the semantics of
>>>>       the negotiated extensions.  Similarly, an intermediary that
>>>>didn't
>>>>       see the WebSocket handshake (and wasn't notified about its
>>>>       content) that resulted in a WebSocket connection MUST NOT change
>>>>       the fragmentation of any message of such connection.
>>>>
>>>>    o  As a consequence of these rules, all fragments of a message are
>>>>of
>>>>       the same type, as set by the first fragment's opcode.  Since
>>>>       control frames cannot be fragmented, the type for all fragments
>>>>in
>>>>       a message MUST be either text, binary, or one of the reserved
>>>>       opcodes.
>>>>
>>>>    NOTE: If control frames could not be interjected, the latency of a
>>>>    ping, for example, would be very long if behind a large message.
>>>>    Hence, the requirement of handling control frames in the middle of a
>>>>    fragmented message.
>>>>
>>>>    IMPLEMENTATION NOTE: In the absence of any extension, a receiver
>>>>    doesn't have to buffer the whole frame in order to process it.  For
>>>>    example, if a streaming API is used, a part of a frame can be
>>>>    delivered to the application.  However, note that this assumption
>>>>    might not hold true for all future WebSocket extensions.
>>>>
>>>>
>>>> Corrected Text
>>>> --------------
>>>>
>>>>
>>>> Notes
>>>> -----
>>>> There is no indication or mention of the payload length of the frame
>>>>with regards to fragmentation. In abstract, it's apparent that the
>>>>payload length specified in the header of the frame corresponds to the
>>>>actual frames payload length. However, implementations have been
>>>>observed that allow the headers payload length to be specified as a
>>>>higher length than the actual raw payload of that frame. In the event
>>>>that this occurs, some implementations are reallocating memory to
>>>>support the length of what is reported as the entire payload of all
>>>>fragmented messages combined, and continue building the buffer off of
>>>>each frame from that point forward by allocating enough memory for
>>>>specified payload length. Obviously, this opens up the potential for a
>>>>memory consumption DoS attack on an implementation that uses this
>>>>method. A lack of specification with regards to the RFC allows for such
>>>>a mistake to happen, as it is not clearly defined in the fragmentation
>>>>section.
>>>>
>>>> The RFC specifies that fragmented messages should be used to send
>>>>messages of an unknown length, i.e. streaming media, and therefore
>>>>should also specify that the frame length bit should be preserved to
>>>>the length of only that current frame and not be used to specify the
>>>>overall payload length of all fragmented messages combined.
>>>>Intermediaries should be forced to work with them on a frame-by-frame
>>>>basis and to drop the connection of any instances where the specified
>>>>length of the frames payload does not match the length of the actual
>>>>raw payload data for that one frame.
>>>>
>>>> Instructions:
>>>> -------------
>>>> This erratum is currently posted as "Reported". If necessary, please
>>>> use "Reply All" to discuss whether it should be verified or
>>>> rejected. When a decision is reached, the verifying party (IESG)
>>>> can log in to change the status and edit the report, if necessary.
>>>>
>>>> --------------------------------------
>>>> RFC6455 (draft-ietf-hybi-thewebsocketprotocol-17)
>>>> --------------------------------------
>>>> Title               : The WebSocket Protocol
>>>> Publication Date    : December 2011
>>>> Author(s)           : I. Fette, A. Melnikov
>>>> Category            : PROPOSED STANDARD
>>>> Source              : BiDirectional or Server-Initiated HTTP
>>>> Area                : Applications
>>>> Stream              : IETF
>>>> Verifying Party     : IESG
>>>>
>>>
>>> _______________________________________________
>>> hybi mailing list
>>> hybi@ietf.org
>>> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email