[jira] [Updated] (GEODE-9676) Limit Radish RESP bulk input sizes for unauthenticated connections

Wayne (Jira) Tue, 05 Oct 2021 13:46:06 -0700


     [ 
https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Wayne updated GEODE-9676:
-------------------------
    Labels: redis  (was: )

> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
>                 Key: GEODE-9676
>                 URL: https://issues.apache.org/jira/browse/GEODE-9676
>             Project: Geode
>          Issue Type: Improvement
>          Components: redis
>            Reporter: Jens Deppe
>            Priority: Major
>              Labels: redis
>
> Redis recently implemented a response to a CVE which allows for 
> unauthenticated users to craft RESP requests which consume a lot of memory. 
> Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the 
> JVM trying to allocate an array of size `MAX_INT`. 
> We need to be able to provide the same safeguards as Redis does.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (GEODE-9676) Limit Radish RESP bulk input sizes for unauthenticated connections

Reply via email to