Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-2869

Protocol validations to reduce client denial of service risks

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Unknown Unknown
    • 1.12.1
    • None
    • None
    • None
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

    Description

      Tracking PR #1291 to fix two possible conditions which could result in a potential denial of service of a client connected to a malicious MongoDB server.

      1. readLengthBytes requires 4 bytes for the length to be included. Previously when reading a document from the wire this could result in a tight loop where an empty struct is appended to a slice repeatedly until the service runs out of memory (both CPU and memory consumption).
      2. Fix a large memory allocation condition with Snappy decompression if a large size is encoded in the Snappy compressed / encoded portion of the bytes.

      Attachments

        Activity

          People

            qingyang.hu@mongodb.com Qingyang Hu
            qingyang.hu@mongodb.com Qingyang Hu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: