Testing Attoparsec Against Buffer Overflow

Posted by: Seth Lakowske

Published:

We want to demonstrate an attoparsec parser that can survive a buffer overflow attack. If more than n bytes have been received with either a successful header or a failed parse.

We'll be constructing lazy byte strings from [Char] type. [Char] is a synonym for String. We'll also be using OverloadedStrings which makes string literals polymorphic over IsString typeclass.

-- you can write
a :: String
a = "hi"
 
b :: Text
b = "world"

When parsing using a combinator library, the difficulty comes from precisely defining the parsed object. If you specify what it is, but fail to define what should come next, then you may match a stream of characters prematurely. The remaining characters that should be included in the match are now the subject of the next parse attempts and will not match because they should have been consumed by the previous parser.