Comment #5 on issue 669 by [email protected]: Disabling backward
compatibility for some messages only
https://code.google.com/p/protobuf/issues/detail?id=669
Setting a message limit actually reduces these attacks. 4KB is too little,
it will break forward compatibility in most cases. People prefer binary
encoding like google protocol buffer as the data on wire is bigger in size.
I believe that there might be some genuine cases where we need to set a
high message limit say 30Mb. If a attacker sends a message with 1kb
required field & 28MB optional fields then the parser would successfully
unpack the data. After that the application would keep the message in
memory for further processing. If these message gets accumulated after a
while the system memory fills up causing DoS.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups "Protocol
Buffers" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/protobuf.
For more options, visit https://groups.google.com/d/optout.
