breser@tigris.org wrote:
>Modified: trunk/subversion/libsvn_ra_svn/marshal.c
>Url: http://svn.collab.net/viewcvs/svn/trunk/subversion/libsvn_ra_svn/marshal.c?view=diff&rev=9946&p1=trunk/subversion/libsvn_ra_svn/marshal.c&r1=9945&p2=trunk/subversion/libsvn_ra_svn/marshal.c&r2=9946
>==============================================================================
>--- trunk/subversion/libsvn_ra_svn/marshal.c (original)
>+++ trunk/subversion/libsvn_ra_svn/marshal.c Thu Jun 10 12:35:09 2004
>@@ -479,13 +479,49 @@
>
> /* --- READING DATA ITEMS --- */
>
>+/* Read LEN bytes from CONN into already-allocated structure ITEM.
>+ * Afterwards, *ITEM is of type 'SVN_RA_SVN_STRING', and its string
>+ * data is allocated in POOL. */
>+static svn_error_t *read_string(svn_ra_svn_conn_t *conn, apr_pool_t *pool,
>+ svn_ra_svn_item_t *item, apr_uint64_t len)
>+{
>+ char readbuf[4096];
>+ apr_size_t readbuf_len;
>+ svn_stringbuf_t *stringbuf = svn_stringbuf_create ("", pool);
>+
>+ /* We can't store strings longer than the maximum size of apr_size_t,
>+ * so check for wrapping */
>+ if (((apr_size_t) len) < len)
>+ return svn_error_create(SVN_ERR_RA_SVN_MALFORMED_DATA, NULL,
>+ "String length larger than maximum");
>
>
This doesn't do much to avoid the DoS. On most platforms the limit
you're testing for is 4GiB, and you'll run out of swap long before that.
We have SVN_MAX_OBJECT_SIZE for such checks, except that its value isn't
very useful as it stands. Might I suggest we finally decide what the
maximum in-memory object size should be? I'd suggest twice the stream
chunk size.
--
Brane Čibej <brane_at_xbc.nu> http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jun 11 12:41:43 2004