On 10/14/2016 02:23 PM, Eric Blake wrote: >> static void socket_read(CLIENT* client, void *buf, size_t len) { >> + void *tmp = NULL; >> + if (!buf) { >> + /* FIXME: Enforce maximum bound on client-provided len? */ >> + tmp = buf = malloc(len); >> + } >> g_assert(client->socket_read != NULL); > > Since we are malloc'ing a scratch buffer to hold a client-specified > length, I do NOT want us to be casually allowing the client to tell us > to make a 2G allocation. Maybe when reading off dead length, it's > better to write a loop that does a loop into a max-size buffer for as > many loop iterations as needed, rather than allocating a single buffer > that will just be thrown away; but such complexity doesn't belong on the > hot-path of normal reads. Still, even if I cap maximum allocation by > reading in a loop, there's a question of how much time we allow to > processing dead reads, vs. cutting our losses and disconnecting the > client as ill-behaved. And had I read a bit further in the source, I see we already have consume() that does the very loop I'm talking about. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature