Re: [Ganglia-developers] gmetad protocol and propagating errors back to the client

[Spike Spiegel]

On Thu, Jan 22, 2009 at 6:55 PM, Carlo Marcelo Arenas Belon
care...@sajinet.com.pe wrote:
 the interactive port was designed to mimic the behaviour from the
 original gmetad port which always returns the whole tree.

why's that? if I wanted the whole tree I'd query the non interactive
port, instead I'm asking for specific metrics so I should get them or
nothing (or an error). Falling back to whole tree doesn't sound
correct to me.

 if your concern is about returning too much data and the request was
 missing, it might be better then to return no tree information (which
 should be also valid)

I'm not sure what you mean here with no tree information. Would the
DTD + grid tag count as such?

I see 2 cases:
1) bad request
2) some/all of the items do not exist

1) happens before root_report_start is ran, so we could easily return
nothing or call root_report_start and end before closing the fd
2) happens after root_report__start has ran, so we could add each
found metric and nothing for the non-existing ones, and then call
root_report_end

doing that in both cases you get valid xml with at worst a GRID tag
that doesn't contain anything or contains multiple cluster tags for
each requested metric and the non-existing ones missing, which should
be enough of a hint to the client that they don't exist.

would that do?

-- 
Behind every great man there's a great backpack - B.

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers

Re: [Ganglia-developers] CVE

[Spike Spiegel]

On Fri, Jan 23, 2009 at 11:52 PM, Brad Nicholes bnicho...@novell.com wrote:

  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0242

 Ganglia 3.1.1 allows remote attackers to cause a denial of service via
 a request to the gmetad service with a path does not exist, which causes
 Ganglia to (1) perform excessive CPU computation and (2) send the entire
 tree, which consumes network bandwidth.

 this one is IMHO invalid as the CPU and bandwith costs for this in the
 current code are constant and the wording quoted was most likely taken
 out of context as it referred originally to a contribution proposal
 which has not been yet committed.


agreed, all the advisories I've seen around have misquoted my original
report and missed the link to the feature proposal. As it stands this
CVE is invalid.


 Are we finished hashing this whole patch out yet?  Are we ready to apply the 
 current patch to 3.1.2 and release or is there still more discussion going on?

as far as I'm concerned #223 is resolved and good to go.

thanks everybody.

-- 
Behind every great man there's a great backpack - B.

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
Ganglia-developers mailing list
Ganglia-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ganglia-developers