directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: Issues with the Keberos codec
Date Tue, 16 Nov 2010 13:04:20 GMT
On 11/16/10 1:52 PM, Alex Karasulu wrote:
> On Tue, Nov 16, 2010 at 5:14 AM, Kiran Ayyagari<kayyagari@apache.org>wrote:
>
>
>> sounds good to me, OTOH what are the disadvantages of reading whole
>> PDU and processing it?
>>
>>
> Increases potentials for large PDU attacks to overflow memory but we can
> mitigate that with limits on the PDU size we're willing to process.
The potential for PDU attack is the same. At least, we avoid creating a 
data structure immediately.

However, I think we will need to define a dedicated KRB_PDU 
configuration parameter, because Kerberos PDU are very likely to be 
smaller than LDAP PDU.


-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


Mime
View raw message