zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hanm <...@git.apache.org>
Subject [GitHub] zookeeper pull request #179: ZOOKEEPER-2693: DOS attack on wchp/wchc four le...
Date Fri, 17 Feb 2017 20:11:50 GMT
Github user hanm commented on a diff in the pull request:

    --- Diff: src/java/main/org/apache/zookeeper/server/NIOServerCnxn.java ---
    @@ -479,7 +479,7 @@ private boolean checkFourLetterWord(final SelectionKey k, final int
             // We take advantage of the limited size of the length to look
             // for cmds. They are all 4-bytes which fits inside of an int
             String cmd = FourLetterCommands.getCmdMapView().get(len);
    -        if (cmd == null) {
    +        if (cmd == null || !FourLetterCommands.getWhiteListedCmdView().contains(cmd))
    --- End diff --
    I think the original comment was not clear but I think it is a good catch - instead of
return false here we return true because the semantic of checkFourLetterWord is we only return
false if 4lw is not found, and in that case the caller will think this is a client message
and proceed allocate buffer etc work (iiuc that was what the "it should be processed in that
way only" meant.).

If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.

View raw message