In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero.
A decade ago, the Doghouse was a regular feature in both my email newsletter Crypto-Gram and my blog. In it, I would call out particularly egregious — and amusing — examples of cryptographic "snake oil." I dropped it both because it stopped being fun and because almost everyone converged on standard cryptographic libraries, which meant standard non-snake-oil cryptography. But every…
Ubuntu Security Notice 4115-1 – Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denia…
this just makes me think:
regex -> hope for the best -> when fails: change the format to something easier to parse -> if still fails: google file format and design a placement based regex based on arbitrary sizes that arent real limits == every software ever. https://twitter.com/ErrataRob/status/1165743566578171911 …
We typically call those “wire formats”, “data formats”, “serialization”, etc. The word “parse” doesn’t exist in the TCP RFC, for example, and “parsing” a Word XML serialization into the AST is only the first step in converting it to an internal representation.
Um, for the same reason architects design buildings that are easy to build. The examples you list- including DNS packet headers (and I’d like to add XML), were formats that were designed by humans. Generally by humans who didn’t know how to design inputs easy to parse.
Spotify had an amazing security bug around Unicode normalization.
Two different sections of their platform treated uppercasing/downcasing Unicode differently.
Unicode implementions are an inconsistent dumpster fire.
If you can model your input as a state machine and show that your state machine is correct, and then actually implement the state machine character by character, your parser should be bulletproof. Parsing input 1 character at a time is the only way to get it right.