You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Jens Deppe (Jira)" <ji...@apache.org> on 2021/10/05 20:37:00 UTC

[jira] [Updated] (GEODE-9676) Limit Radish RESP bulk input sizes for unauthenticated connections

     [ https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jens Deppe updated GEODE-9676:
------------------------------
    Issue Type: Improvement  (was: Test)

> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
>                 Key: GEODE-9676
>                 URL: https://issues.apache.org/jira/browse/GEODE-9676
>             Project: Geode
>          Issue Type: Improvement
>          Components: redis
>            Reporter: Jens Deppe
>            Priority: Major
>
> Redis recently implemented a response to a CVE which allows for unauthenticated users to craft RESP requests which consume a lot of memory. Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the JVM trying to allocate an array of size `MAX_INT`. 
> We need to be able to provide the same safeguards as Redis does.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)