From: Kenichi Asai <asai@is.ocha.ac.jp>
To: Romain Bardou <romain.bardou@inria.fr>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] Marshall.from_channel and segmentation fault
Date: Fri, 12 Jun 2015 17:26:26 +0900 [thread overview]
Message-ID: <20150612082626.GA5884@pllab.is.ocha.ac.jp> (raw)
In-Reply-To: <557A8CBB.5050306@inria.fr>
Dear Romain,
Thanks for the explanation. It seems you are suggesting that I should
use something else that performs runtime type checking rather than the
Marshall module. Is there some standard module I can use?
I want to send various data along the Unix socket to create
interactive games using the Universe library for OCaml:
http://pllab.is.ocha.ac.jp/~asai/Universe/
Because the library is used by beginning students, I want to avoid
segmentation fault without any useful error messages when they
mistakenly use the sent data as having different types.
Sincerely,
--
Kenichi Asai
On Fri, Jun 12, 2015 at 09:39:39AM +0200,
Romain Bardou wrote:
> On 12/06/2015 07:27, Kenichi Asai wrote:
> >The OCaml manual for the Marshall module says:
> >
> >>(Marshal.from_channel chan : type). Anything can happen at run-time
> >>if the object in the file does not belong to the given type.
> >
> >and this "Anything" contains segmentation fault. Is it difficult to
> >avoid this segmentation fault and, e.g., raise an exception instead?
> >
> >Sincerely,
> >
>
> You have to check that you will not dereference invalid pointers.
> Basically you need to type-check the value at runtime before using it.
> If you have a runtime representation of the type of your value, you may
> be able to do so using Obj. But if you have a runtime representation of
> the type, Marshal suddenly becomes less interesting as you can use this
> representation to guide serialization anyway.
>
> Because of this, Marshal is mostly used when one knows through other
> means that only values of the right type are deserialized. This means
> that Marshal should not be used for network applications where the
> remote peer cannot be trusted to always send values of the right type.
> An attacker could send an ill-formed value to crash the server, for
> instance. Or, the remote peer may simply not be up-to-date and use other
> types for its values.
>
> Marshal is better suited to saving data locally. It will still fail if
> one tries to use values from another application or another version of
> the same application with incompatible types. In other words it will not
> be backward compatible when types change, so Marshal is better suited
> for temporary files. For instance, .cmi files are marshaled values, if
> I'm not mistaken.
>
> To sum up: yes, it is difficult.
>
> Cheers,
next prev parent reply other threads:[~2015-06-12 8:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-12 5:27 Kenichi Asai
2015-06-12 7:39 ` Romain Bardou
2015-06-12 8:26 ` Kenichi Asai [this message]
2015-06-12 8:55 ` Romain Bardou
2015-06-12 8:41 ` Francois Berenger
2015-06-12 8:38 ` Francois Berenger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150612082626.GA5884@pllab.is.ocha.ac.jp \
--to=asai@is.ocha.ac.jp \
--cc=caml-list@inria.fr \
--cc=romain.bardou@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox