You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Laura Adney (JIRA)" <ji...@apache.org> on 2013/12/28 02:46:50 UTC
[jira] [Created] (CASSANDRA-6533) Denial of Service with get_slice
operations
Laura Adney created CASSANDRA-6533:
--------------------------------------
Summary: Denial of Service with get_slice operations
Key: CASSANDRA-6533
URL: https://issues.apache.org/jira/browse/CASSANDRA-6533
Project: Cassandra
Issue Type: Bug
Reporter: Laura Adney
We’ve come across a bug impacting Cassandra 1.2 and 2.0 with the potential to cause a denial of service condition in nodes handling get_slice requests.
It appears that Cassandra does not check the length of a column name that is part of a range predicate for a *_slice query before it serialises the slice query to pass to the replicas. Names with a length greater than 0xFFFF cause an assertion error to occur in ByteBufferUtil.writeWithShortLength and a write a weird hint to the hinted handoff store.
This further causes subsequent reads on the node to fail until Cassandra is restarted.
2.0.x does not appear to be affected by the Denial of Service condition, though probably warrants further investigation.
The column name could be user controllable in certain applications and schemas, allowing a malicious user to stop all reads until the impacted nodes are restarted. Attached is a small python script (using pycassa) that will reproduce the issue on a fresh Cassandra cluster with more than one node with the following schema:
CREATE KEYSPACE bar with placement_strategy = 'org.apache.cassandra.locator.SimpleStrategy' and strategy_options = {replication_factor:2};
use bar;
CREATE COLUMN FAMILY Test1;
It was tested against Cassandra 1.2.10, 1.2.12 and 2.0.3 on both OS X and Ubuntu (hasn't been tested against DSE). Included a rough patch that includes additional check in validatePredicate, however it hasn’t been formally tested other than a recompile and check to see if it prevents the assert error.
predAssertError.py -> reproduce the bug on a fresh cluster (more than one node)
stacktraces.txt (1.2.10 and 2.0.3 stack traces)
predicate_patch.txt (diff of patch to fix issue)
zd8209
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)