[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Fwd: [e-lang] Protocol implementation errors
> After over 18 months > of close scrutiny, no one has been able to report any architectural flaw in > either the ASN.1 notation or any of the standard encoding rules, which might > have increased the risk of program misbehavior. The standards are innocent. That's a pretty broad claim to make, and I'm not so sure I'd go along with that. I could imagine playing some interesting games with indefinite-form length (or tag) values that get something "interesting" to happen because they cause wrap-around or (for lengths) make the system consume gobs of memory, hang in a network read waiting for the infinite data that will never come, etc. Did the scrutinizers think of those things? In my experience, fixing "too long" errors for XML parsers has to happen in only one place. Fixing them for ASN.1/[BDP]ER parsers requires fixing it every time you nest a structure or list. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|