You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Owen Jacobson (JIRA)" <ji...@apache.org> on 2007/10/31 04:52:50 UTC

[jira] Closed: (DIRMINA-454) Trivial denial of service in TextLineDecoder

     [ https://issues.apache.org/jira/browse/DIRMINA-454?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Owen Jacobson closed DIRMINA-454.
---------------------------------


I finally got a chance to test this out -- it works great!  I had a look at the code, and if I understand what it's doing it's good enough for my purposes.  You might want to document the exact semantics of the line length limit in the javadocs somewhere; they're a little vague right now.

> Trivial denial of service in TextLineDecoder
> --------------------------------------------
>
>                 Key: DIRMINA-454
>                 URL: https://issues.apache.org/jira/browse/DIRMINA-454
>             Project: MINA
>          Issue Type: Bug
>          Components: Filter
>    Affects Versions: 1.0.6, 1.1.3
>            Reporter: Owen Jacobson
>            Assignee: Trustin Lee
>             Fix For: 1.0.7, 1.1.4
>
>         Attachments: no-dos.patch
>
>
> In both of TextLineDecoder's decoding methods, the decoder only checks the size of input after it's found at least one line ending character.  Infinitely long streams of, say, 'y's will cause the decoder to try to buffer up data until the JVM falls over.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.