From: Stefan Beller <sbeller@google.com>
To: Jeff King <peff@peff.net>
Cc: Junio C Hamano <gitster@pobox.com>,
Jonathan Nieder <jrnieder@gmail.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Eric Wong <e@80x24.org>, Dan Wang <dwwang@google.com>,
Dennis Kaarsemaker <dennis@kaarsemaker.net>
Subject: Re: [PATCH 2/4] receive-pack: implement advertising and receiving push options
Date: Fri, 8 Jul 2016 15:29:09 -0700 [thread overview]
Message-ID: <CAGZ79kbu1ec-8LiFrvnXqFqsjFnEofhjZnxcENa1aA1K56m9Fg@mail.gmail.com> (raw)
In-Reply-To: <20160708222127.GA10756@sigill.intra.peff.net>
On Fri, Jul 8, 2016 at 3:21 PM, Jeff King <peff@peff.net> wrote:
> On Fri, Jul 08, 2016 at 03:17:13PM -0700, Stefan Beller wrote:
>
>> >If people are seeing these in
>> > routine use, then the limits are set too low, and this should happen
>> > roughly as often as a BUG assertion, and IMHO should be treated roughly
>> > the same: don't bother with translation, and don't worry about
>> > optimizing wasted bandwidth for this case. It won't happen enough to
>> > matter.
>>
>> Well the wasted band width is part of the server protection, no?
>
> Not if you stop receiving as soon as you hit the limits. Then of course
> they can send up to the limit each time, but that is not a DoS. That is
> things working as advertised.
>
>> This would favor the idea Jonathan came up with:
>>
>> server: I advertise push options
>> client: ok I want to use push options
>> client: I'll send you 1000 push options with upper bound of 1000M
>> server: It's a bit too much, eh?
>> * server quits
>>
>> So this case only occurs for the (malicious?) corner case, where I
>> do not bother a translation.
>
> In the malicious case, the client says "I'll send you 10 push option
> with an upper bound of 1024K", and then sends gigabytes anyway. Either
> way the server has to react to what is sent, not what is promised.
Well that is what the initial patch did via:
+ for (i = 0; i < max_options; i++) {
+ char *line;
+ int len;
+
+ line = packet_read_line(0, &len);
+
+ if (!line)
+ break;
+
+ if (len > max_size)
+ die("protocol error: server configuration allows push "
+ "options of size up to %d bytes", max_size);
+
+ len = strcspn(line, "\n");
+ line[len] = '\0';
+
+ string_list_append(ret, line);
+ }
+ if (i == max_options)
+ die("protocol error: server configuration only allows up "
+ "to %d push options", max_options);
I assume the die is an effective way to "stop receiving".
Thinking further about what you said, I think the initial selections of
max_size and max_options is sufficient and we only see those bounds in
the malicious case.
This discussion rather makes me wonder if we want to stick to the initial design
as it was easy and not overcomplicating things as we assume the abort case
doesn't occur often.
>
> -Peff
next prev parent reply other threads:[~2016-07-08 22:29 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 1:12 [PATCHv3 0/4] Push options in C Git Stefan Beller
2016-07-07 1:12 ` [PATCH 1/4] push options: {pre,post}-receive hook learns about push options Stefan Beller
2016-07-07 20:20 ` Junio C Hamano
2016-07-07 21:50 ` Stefan Beller
2016-07-07 21:53 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 2/4] receive-pack: implement advertising and receiving " Stefan Beller
2016-07-07 20:37 ` Junio C Hamano
2016-07-07 21:41 ` Stefan Beller
2016-07-07 21:56 ` Jeff King
2016-07-07 22:06 ` Stefan Beller
2016-07-07 22:09 ` Jeff King
2016-07-07 22:06 ` Junio C Hamano
2016-07-08 17:58 ` Jonathan Nieder
2016-07-08 18:39 ` Junio C Hamano
2016-07-08 18:57 ` Stefan Beller
2016-07-08 21:46 ` Jeff King
2016-07-08 22:17 ` Stefan Beller
2016-07-08 22:21 ` Jeff King
2016-07-08 22:29 ` Stefan Beller [this message]
2016-07-08 22:35 ` Jeff King
2016-07-08 22:43 ` Stefan Beller
2016-07-08 22:46 ` Jeff King
2016-07-08 22:51 ` Stefan Beller
2016-07-07 1:12 ` [PATCH 3/4] push: accept " Stefan Beller
2016-07-07 20:52 ` Junio C Hamano
2016-07-08 22:59 ` Stefan Beller
2016-07-11 18:42 ` Junio C Hamano
2016-07-07 1:12 ` [PATCH 4/4] add a test for " Stefan Beller
2016-07-07 19:51 ` Junio C Hamano
2016-07-07 20:01 ` Junio C Hamano
2016-07-07 21:51 ` Stefan Beller
-- strict thread matches above, loose matches on Subject: below --
2016-07-14 21:49 [PATCHv7 0/4] Push options Stefan Beller
2016-07-14 21:49 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 17:39 [PATCHv5 0/4] Push options Stefan Beller
2016-07-14 17:39 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-14 18:38 ` Junio C Hamano
2016-07-14 19:00 ` Stefan Beller
2016-07-14 19:07 ` Junio C Hamano
2016-07-14 19:45 ` Jeff King
2016-07-14 20:07 ` Junio C Hamano
2016-07-09 0:31 [PATCHv4 0/4] Push options Stefan Beller
2016-07-09 0:31 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-10 17:06 ` Shawn Pearce
2016-07-10 18:05 ` Stefan Beller
2016-07-12 4:53 ` Shawn Pearce
2016-07-12 5:24 ` Jeff King
2016-06-30 0:59 [RFC PATCHv1 0/4] Push options in C Git Stefan Beller
2016-06-30 0:59 ` [PATCH 2/4] receive-pack: implement advertising and receiving push options Stefan Beller
2016-07-01 17:11 ` Junio C Hamano
2016-07-01 17:24 ` Stefan Beller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGZ79kbu1ec-8LiFrvnXqFqsjFnEofhjZnxcENa1aA1K56m9Fg@mail.gmail.com \
--to=sbeller@google.com \
--cc=dennis@kaarsemaker.net \
--cc=dwwang@google.com \
--cc=e@80x24.org \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).