[jira] [Commented] (CASSANDRA-3017) add a Message size limit

Tue, 20 Nov 2012 13:11:03 -0800 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501465#comment-13501465
 ] 

Jonathan Ellis commented on CASSANDRA-3017:
-------------------------------------------

I've been thinking about that last part and I don't have a good solution.  I 
*really* don't want to add the complexity of multi-part replies.

Since the goal here is to protect against malformed messages from non-cluster 
members, how about this?

We pick a limit large enough to let gossip messages through (64K?) and drop 
*all* messages larger than that *from non-cluster members* (according to 
Gossiper's knowledge).

This doesn't help you if you're fuzz-testing Cassandra from one of your other 
nodes, but hopefully you're not doing that...

I think this also would cause some dropped messages when FD announces that a 
node is back up and the cluster tries to replicate stuff to it, but it doesn't 
know yet that the source is a cluster member.  This should be okay for reads 
(since they will be small) but could cause some extra timeouts for writes.

I could see just accepting this, or adding a delay to FD recognition to keep 
that as UAE for a bit longer. Or we could just wontfix.

What do you think [~brandon.williams]?
                
> add a Message size limit
> ------------------------
>
>                 Key: CASSANDRA-3017
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-3017
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Jonathan Ellis
>            Assignee: Kirk True
>            Priority: Minor
>              Labels: lhf
>         Attachments: 
> 0001-use-the-thrift-max-message-size-for-inter-node-messa.patch, 
> trunk-3017.txt
>
>
> We protect the server from allocating huge buffers for malformed message with 
> the Thrift frame size (CASSANDRA-475).  But we don't have similar protection 
> for the inter-node Message objects.
> Adding this would be good to deal with malicious adversaries as well as a 
> malfunctioning cluster participant.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to