[jira] [Created] (CASSANDRA-14925) DecimalSerializer.toString() can be used as OOM attack

ZhaoYang (JIRA) Sun, 09 Dec 2018 23:06:13 -0800

ZhaoYang created CASSANDRA-14925:
------------------------------------

             Summary: DecimalSerializer.toString() can be used as OOM attack 
                 Key: CASSANDRA-14925
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14925
             Project: Cassandra
          Issue Type: Bug
          Components: Core
            Reporter: ZhaoYang
            Assignee: ZhaoYang



Currently, in {{DecimalSerializer.toString(value)}}, it uses 
{{BigDecimal.toPlainString()}} which generates huge string for large scale 
values.

 
{code:java}
BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
d.toPlainString(); // oom{code}
 

Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which is 
configurable via {{-Dcassandra.decimal.maxscaleforstring}}

 
| patch | circle-ci |
| [3.0|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.0] | 
[unit|https://circleci.com/gh/jasonstack/cassandra/747?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link]
 |

The code should apply cleanly to 3.0+.




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Created] (CASSANDRA-14925) DecimalSerializer.toString() can be used as OOM attack

Reply via email to