You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Jens Deppe (Jira)" <ji...@apache.org> on 2021/10/05 20:37:00 UTC
[jira] [Updated] (GEODE-9676) Limit Radish RESP bulk input sizes
for unauthenticated connections
[ https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jens Deppe updated GEODE-9676:
------------------------------
Issue Type: Improvement (was: Test)
> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
> Key: GEODE-9676
> URL: https://issues.apache.org/jira/browse/GEODE-9676
> Project: Geode
> Issue Type: Improvement
> Components: redis
> Reporter: Jens Deppe
> Priority: Major
>
> Redis recently implemented a response to a CVE which allows for unauthenticated users to craft RESP requests which consume a lot of memory. Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the JVM trying to allocate an array of size `MAX_INT`.
> We need to be able to provide the same safeguards as Redis does.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)