Return-Path: X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4BA7E19917 for ; Fri, 22 Apr 2016 14:24:13 +0000 (UTC) Received: (qmail 71174 invoked by uid 500); 22 Apr 2016 14:24:13 -0000 Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org Received: (qmail 71106 invoked by uid 500); 22 Apr 2016 14:24:13 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 71077 invoked by uid 99); 22 Apr 2016 14:24:13 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Apr 2016 14:24:13 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D30932C1F4E for ; Fri, 22 Apr 2016 14:24:12 +0000 (UTC) Date: Fri, 22 Apr 2016 14:24:12 +0000 (UTC) From: "Josh Elser (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (ACCUMULO-4243) Kerberos thrift servers don't adhere to general.server.message.size.max MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Josh Elser created ACCUMULO-4243: ------------------------------------ Summary: Kerberos thrift servers don't adhere to general.server.message.size.max Key: ACCUMULO-4243 URL: https://issues.apache.org/jira/browse/ACCUMULO-4243 Project: Accumulo Issue Type: Bug Components: rpc Affects Versions: 1.7.1, 1.7.0 Reporter: Josh Elser Assignee: Josh Elser Priority: Blocker Fix For: 1.7.2, 1.8.0 It looks like when I implemented Kerberos client authentication in ACCUMULO-2815, I botched the use of general.server.message.size.max. This property is meant to guard us against trying to allocate a very large buffer from an RPC call. Typically, the first four bytes of data sent to one of our thrift servers (tserver, master, proxy) is treated as the number of bytes to read for some RPC. The problem is that if some garbage data (often, a security scan by some admins) may inadvertently cause the server to try to allocate a very large buffer (GBs in size) which will cause the process to ultimately crash while instantiating the buffer. It seems like something might be handled differently in the TSaslServer in Thrift. I'll have to dig more into whether it's an Accumulo or Thrift bug. To reproduce this, I was able to use telnet: {noformat} $ telnet `hostname -f` 9997 <...waiting to get connected...> ~~~~000000000000000000 .. {noformat} This will try to create a very large buffer (~2.1GB). I observed this by hooking up jvisualvm to the tabletserver. -- This message was sent by Atlassian JIRA (v6.3.4#6332)