directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Issues with the Keberos codec
Date Tue, 16 Nov 2010 12:52:33 GMT
On Tue, Nov 16, 2010 at 5:14 AM, Kiran Ayyagari <kayyagari@apache.org>wrote:

> On Tue, Nov 16, 2010 at 4:48 AM, Emmanuel Lecharny <elecharny@apache.org>
> wrote:
> > Hi,
> > the way we decode the Kerberos is not good, as I said in a previous mail.
> We
> > can't process a fragmented PDU.
> >
> > I suggested that we manipulate the State in order to pick the right
> > container, but this is really too complex, and brittle.
> > I have one other solution :
> > pre-read the PDU size. As we are using TLV, the Length once read will let
> us
> > read the Value as an opaque element, then once completely read, we will
> be
> > able to process the PDU
> > This seems a minimal cost to get the codec working with the grammars we
> have
> > defined.
> > thoughts ?
> sounds good to me, OTOH what are the disadvantages of reading whole
> PDU and processing it?
>
>
Increases potentials for large PDU attacks to overflow memory but we can
mitigate that with limits on the PDU size we're willing to process.

Otherwise it sounds like a good idea if the grammar in the current situation
is getting too cumbersome to deal with. Really KRB PDU sizes are not that
large AFAIK so this is not that bad. It does not follow with zero copy
principles of building good performing network servers but for now we need
to go this route until we find a better way later.

-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org
To set up a meeting with me: http://tungle.me/AlexKarasulu

Mime
View raw message