To:
"'budi@alliance.globalnetlink.com'" <budi@alliance.globalnetlink.com>, ietf-provreg@cafax.se
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Tue, 25 Sep 2001 21:35:44 -0400
Sender:
owner-ietf-provreg@cafax.se
Subject:
RE: Length of Reason String
> -----Original Message----- > From: budi@alliance.globalnetlink.com > [mailto:budi@alliance.globalnetlink.com] > Sent: Tuesday, September 25, 2001 9:59 PM > To: ietf-provreg@cafax.se > Subject: RE: Length of Reason String > > > On 25 Sep 01, at 20:16, Hollenbeck, Scott wrote: > > > I don't see the relation to sloppy coding or DoS attacks. > > Hi Scott, > I don't mean to say that we shouldn't use strings. > And of course we should limit the length. > (or shouldn't we?) > > It's just sloppy coding in the implementation can results in > DoS attack (depends on the implementation of course). > For example if we limit the length of reason string to 16 chars. > Then, I create a nasty server which sends 10.000 chars, eg > > - this-is-a-very-long-rely-beyond-32-characters-and-i-am-going-to-see- > which-implementation-crashes-or-give-me-access-to-their-workstation- > wha-ha-haAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... Actually, these sorts of long strings will/should get caught and flagged as errors by the XML parser before they get too far. Buffer overflow might be a problem with a buggy parser, so I see what you're saying. It's a risk with strings. <Scott/>