On May 2, 2013, at 2:40 PM, Damien Miller <d...@mindrot.org> wrote: > On Thu, 2 May 2013, Franco Fichtner wrote: > >> Moving implementations to user space does not necessarily make them >> better or less of a problem. > > The big difference is that its possible to sandbox a userspace > implementation so that small integer overflow bugs or length checking > failures don't become arbitrary kmem reads or, worse, RCE.
OK, the implementation only pulls a couple of bytes from the packet's payload. It will never pull bytes that are not verified. It will never allocate anything. It will never test against something that's neither hard-coded nor available in the range of the approved payload. It will never return more than "unsigned int" with a number describing the actual application. It will never manipulate any input value, lest of all the packet itself. It will never run into endless loops. And I'll gladly zap everything that could still considered be a potential risk. Parsing TCP options is still more complex than what this particular DPI code is supposed to be doing. This comes from personal experience. ;) IMHO, the only issue that remains is a potentially unlimited number of applications. That's a strong point against the idea. Franco