Type Length Value +tlv [“Lightweight Machine to Machine Technical Specification”, OMA-TS-LightweightM2M-V1_0, especially section 6.3.3] TLV is a binary format. n/a The syntax and semantics of fragment identifiers specified for +tlv should be as specified for "application/vnd.oma.lwm2m+tlv". (At publication of this document, there is no fragment identification syntax defined for "application/vnd.oma.lwm2m+tlv".) The syntax and semantics for fragment identifiers for a specific "xxx/yyy+tlv" should be processed as follows: For cases defined in +tlv, where the fragment identifier resolves per the +tlv rules, then process as specified in +tlv. For cases defined in +tlv, where the fragment identifier does not resolve per the +tlv rules, then process as specified in "xxx/yyy+tlv". For cases not defined in +tlv, then process as specified in "xxx/yyy+tlv".
Each individual media type registered with a +tlv suffix can have additional security considerations.
As with any format with internal length fields, it is easy to construct malicious content with invalid length fields that can cause buffer overrun conditions.
TLV allows for arbitrary levels of nesting, which may make it possible to construct malicious content that will cause a stack overflow.
Interpreters of the TLV structures should be aware of these issues and should take appropriate measures to guard against buffer overflows and stack overruns in particular and malicious content in general.
[John_Mudge] [Open_Mobile_Naming_Authority] (OMNA) 2016-06-19