Uploaded image for project: 'Go Driver'
  1. Go Driver
  2. GODRIVER-2869

Protocol validations to reduce client denial of service risks

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.12.1
    • Affects Version/s: None
    • Component/s: None
    • None
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Tracking PR #1291 to fix two possible conditions which could result in a potential denial of service of a client connected to a malicious MongoDB server.

      1. readLengthBytes requires 4 bytes for the length to be included. Previously when reading a document from the wire this could result in a tight loop where an empty struct is appended to a slice repeatedly until the service runs out of memory (both CPU and memory consumption).
      2. Fix a large memory allocation condition with Snappy decompression if a large size is encoded in the Snappy compressed / encoded portion of the bytes.

            Assignee:
            qingyang.hu@mongodb.com Qingyang Hu
            Reporter:
            qingyang.hu@mongodb.com Qingyang Hu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: