You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Owen Nichols (Jira)" <ji...@apache.org> on 2022/06/22 20:46:01 UTC
[jira] [Closed] (GEODE-9676) Limit Radish RESP bulk input sizes for unauthenticated connections
[ https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Owen Nichols closed GEODE-9676.
-------------------------------
> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
> Key: GEODE-9676
> URL: https://issues.apache.org/jira/browse/GEODE-9676
> Project: Geode
> Issue Type: Improvement
> Components: redis
> Affects Versions: 1.15.0
> Reporter: Jens Deppe
> Assignee: Jens Deppe
> Priority: Major
> Labels: pull-request-available, redis
> Fix For: 1.15.0
>
>
> Redis recently implemented a response to a CVE which allows for unauthenticated users to craft RESP requests which consume a lot of memory. Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the JVM trying to allocate an array of size `MAX_INT`.
> We need to be able to provide the same safeguards as Redis does.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)