[
https://issues.apache.org/jira/browse/THRIFT-2937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14276914#comment-14276914
]
Roger Meier commented on THRIFT-2937:
-------------------------------------
I'm ok with this.
However we should set it also to the same level(256MB) as we did for
TNonblockingServer with THRIFT-1337
https://github.com/apache/thrift/blob/master/lib/cpp/src/thrift/server/TNonblockingServer.h#L126
> Allow setting a maximum frame size in TFramedTransport
> ------------------------------------------------------
>
> Key: THRIFT-2937
> URL: https://issues.apache.org/jira/browse/THRIFT-2937
> Project: Thrift
> Issue Type: Improvement
> Components: C++ - Library
> Affects Versions: 0.9.3
> Environment: Ubuntu 14.04.1 LTS
> Reporter: Cristian Klein
> Labels: feature, newbie, patch, security
> Fix For: 0.9.3
>
> Attachments: 0001-THRIFT-2937-Allow-setting-a-maximum-frame-size.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> To secure Thrift servers against malicious attacks or corrupted data, an
> often requested feature is to limit the maximum size of a frame at receive.
> TNonblockingServer already has such a feature. The attached patch imposes a
> maximum frame size in TFramedTransport. The default value is very
> conservative (1MiB), to make sure that memory cannot be easily exhausted. The
> user can then increase the maximum frame size, as required.
> Example usage:
> Good Client -> Server: I want to send you a 100MiB file;
> Server -> Good Client: Maximum frame size adjusted go ahead;
> Good Client -> Server: Here comes the file ...
> Bad Client -> Server: Here is a 100MiB frame to exhaust your memory;
> Server -> Bad Client: [connection dropped]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
