----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58242/#review171265 -----------------------------------------------------------
Fix it, then Ship it! This LGTM. src/linux/ldcache.cpp Line 120 (original), 120 (patched) <https://reviews.apache.org/r/58242/#comment244163> Why this change? Seems irrelevant? - Jie Yu On April 6, 2017, 6:32 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58242/ > ----------------------------------------------------------- > > (Updated April 6, 2017, 6:32 p.m.) > > > Review request for mesos and Mesos Reviewbot. > > > Bugs: MESOS-7363 > https://issues.apache.org/jira/browse/MESOS-7363 > > > Repository: mesos > > > Description > ------- > > It is possible for a malicious client to send > libprocess SUBSCRIBE requests that will trigger the > !frameworks.principals.contains(...) CHECK. This can happen > if the client sends a subscribe with a framework ID, then a > second subscribe with a different framework ID but the same > UPID. The invariant in the master is that a UPID uniquely > identifies a given framework. This is violated if we allow > multiple frameworks with the same UPID. > > > Diffs > ----- > > src/linux/ldcache.cpp e93334465911d3ec37f38d51249486d5d317bdb3 > src/master/master.cpp 6a6a570e52d21bfb2443f981e3d7faf8c36f74bc > > > Diff: https://reviews.apache.org/r/58242/diff/1/ > > > Testing > ------- > > make checl (Fedora 25). Internal fuzzer run. > > > Thanks, > > James Peach > >
