You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Owen Nichols (Jira)" <ji...@apache.org> on 2022/06/22 20:46:01 UTC

[jira] [Closed] (GEODE-9676) Limit Radish RESP bulk input sizes for unauthenticated connections

     [ https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Nichols closed GEODE-9676.
-------------------------------

> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
>                 Key: GEODE-9676
>                 URL: https://issues.apache.org/jira/browse/GEODE-9676
>             Project: Geode
>          Issue Type: Improvement
>          Components: redis
>    Affects Versions: 1.15.0
>            Reporter: Jens Deppe
>            Assignee: Jens Deppe
>            Priority: Major
>              Labels: pull-request-available, redis
>             Fix For: 1.15.0
>
>
> Redis recently implemented a response to a CVE which allows for unauthenticated users to craft RESP requests which consume a lot of memory. Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the JVM trying to allocate an array of size `MAX_INT`. 
> We need to be able to provide the same safeguards as Redis does.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)