[
https://issues.apache.org/jira/browse/HADOOP-19864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18079414#comment-18079414
]
ASF GitHub Bot commented on HADOOP-19864:
-----------------------------------------
pan3793 commented on code in PR #8470:
URL: https://github.com/apache/hadoop/pull/8470#discussion_r3207983609
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java:
##########
@@ -2946,28 +2946,40 @@ private void processRpcRequest(RpcRequestHeaderProto
header,
throw new FatalRpcServerException(
RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER, err);
}
- Class<? extends Writable> rpcRequestClass =
+ // Reject requests for RPC kinds with no registered protocols on this
+ // server instance. This prevents deserialization of untrusted payloads
+ // for unsupported kinds. See HADOOP-19864.
+ if (Server.this instanceof RPC.Server server) {
+ final RPC.RpcKind kind = ProtoUtil.convert(header.getRpcKind());
+ if (!server.hasRegisteredProtocols(kind)) {
+ final String err = "No protocols registered on this server for
RpcKind "
+ + header.getRpcKind()
+ + ". Rejecting request without deserialization.";
+ LOG.info("{} Client: {}", err, getHostAddress());
+ throw new FatalRpcServerException(
+ RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER, err);
+ }
+ }
+ Class<? extends Writable> rpcRequestClass =
getRpcRequestWrapper(header.getRpcKind());
if (rpcRequestClass == null) {
- LOG.warn("Unknown rpc kind " + header.getRpcKind() +
- " from client " + getHostAddress());
- final String err = "Unknown rpc kind in rpc header" +
- header.getRpcKind();
+ LOG.warn("Unknown rpc kind {} from client {}", header.getRpcKind(),
getHostAddress());
throw new FatalRpcServerException(
- RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER, err);
+ RpcErrorCodeProto.FATAL_INVALID_RPC_HEADER,
+ "Unknown rpc kind in rpc header" + header.getRpcKind());
}
Writable rpcRequest;
try { //Read the rpc request
rpcRequest = buffer.newInstance(rpcRequestClass, conf);
} catch (RpcServerException rse) { // lets tests inject failures.
throw rse;
} catch (Throwable t) { // includes runtime exception from newInstance
- LOG.warn("Unable to read call parameters for client " +
- getHostAddress() + "on connection protocol " +
- this.protocolName + " for rpcKind " + header.getRpcKind(), t);
- String err = "IPC server unable to read call parameters: "+
t.getMessage();
+ LOG.warn(
+ "Unable to read call parameters for client {}on connection
protocol {} for rpcKind {}",
+ getHostAddress(), this.protocolName, header.getRpcKind(), t);
throw new FatalRpcServerException(
- RpcErrorCodeProto.FATAL_DESERIALIZING_REQUEST, err);
+ RpcErrorCodeProto.FATAL_DESERIALIZING_REQUEST,
+ "IPC server unable to read call parameters: "+ t.getMessage());
Review Comment:
nit:
```suggestion
"IPC server unable to read call parameters: " + t.getMessage());
```
> Cut WritableRPCEngine
> ---------------------
>
> Key: HADOOP-19864
> URL: https://issues.apache.org/jira/browse/HADOOP-19864
> Project: Hadoop Common
> Issue Type: Improvement
> Components: ipc
> Affects Versions: 3.6.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.6.0
>
>
> Cut {{WritableRpcEngine}} from the code
> It's been obsolete for over a decade, with MAPREDUCE-6706 not needed
> internally.
> Tez still uses it (TEZ-4708 ) so this removal will be incompatible for them.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
