On 10/14/2016 02:23 PM, Eric Blake wrote:
>> static void socket_read(CLIENT* client, void *buf, size_t len) {
>> + void *tmp = NULL;
>> + if (!buf) {
>> + /* FIXME: Enforce maximum bound on client-provided len? */
>> + tmp = buf = malloc(len);
>> + }
>> g_assert(client->socket_read != NULL);
>
> Since we are malloc'ing a scratch buffer to hold a client-specified
> length, I do NOT want us to be casually allowing the client to tell us
> to make a 2G allocation. Maybe when reading off dead length, it's
> better to write a loop that does a loop into a max-size buffer for as
> many loop iterations as needed, rather than allocating a single buffer
> that will just be thrown away; but such complexity doesn't belong on the
> hot-path of normal reads. Still, even if I cap maximum allocation by
> reading in a loop, there's a question of how much time we allow to
> processing dead reads, vs. cutting our losses and disconnecting the
> client as ill-behaved.
And had I read a bit further in the source, I see we already have
consume() that does the very loop I'm talking about.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature