bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: getline & getline_safe


From: Paul Edwards
Subject: Re: getline & getline_safe
Date: Thu, 24 Jul 2003 03:20:12 GMT

"Derek Robert Price" <address@hidden> wrote in message news:address@hidden
> Anyhow, I noticed that ccvs/src/server.c is calling a getline_safe()
> function that is basically getline() with a maximum read limit.  The CVS
> log of ccvs/src/server.c & ccvs/src/getline.c reports that
> getline_safe() was added by Karl Fogel in July of 2000 and called in
> order to avoid a denial of service attack during the authentication
> phase where an attacker sends long authentication strings without
> newlines, I assume to fill up memory and slow things down or halt them.
> I couldn't find anything in the relevant mail archives on the subject.
>
> My question is, is this really necessary?  Don't most modern operating
> systems allow ulimit to limit process size?

I think it is usual for a program to have processing restrictions,
although I would have made it based on a CVS-controlled define,
like CVS_STR_LIMIT, rather than PATH_MAX, which could
potentially be 8, while userid may be 30.

BFN.  Paul.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]