4 Security Considerations
Some of the structures contain fields that specify size information of the data in the serialization stream. The type of the size that specifies fields is INT32 (as specified in [MS-DTYP] section 2.2.22). The maximum value of these values can be as high as 0x7FFFFFFF. An implementation that consumes the stream either does not allocate memory based on the size information specified in the serialization stream, or ensures that the data in the serialization stream can be trusted.
The following table lists the structures with fields that specify size information.
|
Type |
Field |
Description |
|---|---|---|
|
LengthPrefixedString |
Length |
Size of the string |
|
ArrayOfValueWithCode |
Length |
Size of the Array |
|
ClassInfo |
MemberCount |
Number of Members |
|
ArrayInfo |
Length |
Size of the Array |
|
BinaryArray |
Rank |
Size of the Lengths and LowerBounds Arrays |
|
BinaryArray |
Lengths |
Size of each dimension that would affect the net size of the Array |
|
ObjectNullMultiple |
NullCount |
Number of Null Objects |
De-serialization of the serialization stream results in creating instances of Remoting Types whose information is provided in the serialization stream. It might be unsafe to create an instance of Remoting Types. An implementation protects against attacks where the serialization stream includes the unsafe Remoting Types. Such attacks can be mitigated by allowing the higher layer to configure a list of Remoting Types in an implementation-specific way and disallow de-serialization of any Remoting Type that is not in the list.