cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Laura Adney (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-6533) Denial of Service with get_slice operations
Date Sat, 28 Dec 2013 01:50:50 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-6533?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Laura Adney updated CASSANDRA-6533:
-----------------------------------

    Attachment: stacktraces.txt
                predicate_patch.txt
                predAssertError (1).py

> Denial of Service with get_slice operations
> -------------------------------------------
>
>                 Key: CASSANDRA-6533
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6533
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Laura Adney
>         Attachments: predAssertError (1).py, predicate_patch.txt, stacktraces.txt
>
>
> We’ve come across a bug impacting Cassandra 1.2 and 2.0 with the potential to cause
a denial of service condition in nodes handling get_slice requests.
> It appears that Cassandra does not check the length of a column name that is part of
a range predicate for a *_slice query before it serialises the slice query to pass to the
replicas. Names with a length greater than 0xFFFF cause an assertion error to occur in ByteBufferUtil.writeWithShortLength
and a write a weird hint to the hinted handoff store. 
> This further causes subsequent reads on the node to fail until Cassandra is restarted.
> 2.0.x does not appear to be affected by the Denial of Service condition, though probably
warrants further investigation.
> The column name could be user controllable in certain applications and schemas, allowing
a malicious user to stop all reads until the impacted nodes are restarted.  Attached is a
small python script (using pycassa) that will reproduce the issue on a fresh Cassandra cluster
with more than one node with the following schema:
> CREATE KEYSPACE bar with placement_strategy = 'org.apache.cassandra.locator.SimpleStrategy'
and strategy_options = {replication_factor:2};
> use bar;
> CREATE COLUMN FAMILY Test1;
> It was tested against Cassandra 1.2.10, 1.2.12 and 2.0.3 on both OS X and Ubuntu (hasn't
been tested against DSE). Included a rough patch that includes additional check in validatePredicate,
however it hasn’t been formally tested other than a recompile and check to see if it prevents
the assert error.
> predAssertError.py -> reproduce the bug on a fresh cluster (more than one node)
> stacktraces.txt (1.2.10 and 2.0.3 stack traces)
> predicate_patch.txt (diff of patch to fix issue)
> zd8209



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message