diff options
author | Karl Ramm <kcr@1ts.org> | 2010-08-22 00:56:21 +0000 |
---|---|---|
committer | Karl Ramm <kcr@1ts.org> | 2010-08-22 00:56:21 +0000 |
commit | 95c7a8b784a189574401a8cd768d73049531ce29 (patch) | |
tree | c833eb3be0ca2347b4d2069638c3ec47470c67ff /lib/ZMkAuth.c | |
parent | b76f80d4acb7b3d63ae119f91c15cded1f606f47 (diff) |
tweak find_or_replace_uid storage algorithm
Per Nelson Elhage:
find_or_insert_uid sorts 'buffer' by the uid, which is a
remotely-provided field. However, in order to expire uids, it does:
while (num && (now - buffer[start % size].t) > CLOCK_SKEW)
start++, num--;
start %= size;
i.e. starts from the start of the queue and goes until it finds
something sufficiently new. Since the queue ordering is
attacker-controlled, we can send an arbitrarily-long sequence of
decreasing uids, consuming memory and forcing the client into an
ever-growing quadratic loop to insert them at the beginning.
--
Solve this by not keeping the buffer sorted; just tack the incoming
uids on the end. This way an attacker can make us keep five minutes
worth of UIDs, but only five minutes, and also anecdotally a client
under attack spends all of its CPU sort uids.
Diffstat (limited to 'lib/ZMkAuth.c')
0 files changed, 0 insertions, 0 deletions