[GEODE-9676] Limit Radish RESP bulk input sizes for unauthenticated connections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.15.0
Fix Version/s: 1.15.0
Component/s: redis
Labels:
- pull-request-available
- redis

Description

Redis recently implemented a response to a CVE which allows for unauthenticated users to craft RESP requests which consume a lot of memory. Our implementation suffers from the same problem.

For example, a command input starting with `*<MAX_INT>` would result in the JVM trying to allocate an array of size `MAX_INT`.

We need to be able to provide the same safeguards as Redis does.

Attachments

Issue Links

links to

GitHub Pull Request #6994

Activity

People

Assignee:: Jens Deppe

Reporter:: Jens Deppe

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Oct/21 17:49

Updated:: 22/Jun/22 20:45

Resolved:: 19/Oct/21 15:31