[ 
https://issues.apache.org/jira/browse/GEODE-9676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17430610#comment-17430610
 ] 

ASF subversion and git services commented on GEODE-9676:
--------------------------------------------------------

Commit 4398bec6eac70ee7bfa3b296655a8326543fc3b7 in geode's branch 
refs/heads/develop from Jens Deppe
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=4398bec ]

GEODE-9676: Limit array and string sizes for unauthenticated Radish connections 
(#6994)

- This applies the same fix as introduced by CVE-2021-32675 for Redis.
  When security is enabled, unuauthenticated requests limit the size of arrays
  and bulk strings to 10 and 16384 respectively. Once connections are 
authenticated,
  the size restriction is not applied.
- When security is not enabled, this restriction does not apply.
- Re-enable the relevant Redis TCL test.


> Limit Radish RESP bulk input sizes for unauthenticated connections
> ------------------------------------------------------------------
>
>                 Key: GEODE-9676
>                 URL: https://issues.apache.org/jira/browse/GEODE-9676
>             Project: Geode
>          Issue Type: Improvement
>          Components: redis
>    Affects Versions: 1.15.0
>            Reporter: Jens Deppe
>            Assignee: Jens Deppe
>            Priority: Major
>              Labels: pull-request-available, redis
>             Fix For: 1.15.0
>
>
> Redis recently implemented a response to a CVE which allows for 
> unauthenticated users to craft RESP requests which consume a lot of memory. 
> Our implementation suffers from the same problem.
> For example, a command input starting with `*<MAX_INT>` would result in the 
> JVM trying to allocate an array of size `MAX_INT`. 
> We need to be able to provide the same safeguards as Redis does.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to