Skip to content

Comments

Bump maximum header size to 4096 bytes#144

Closed
emersion wants to merge 2 commits intopires:mainfrom
emersion:bump-buf-size
Closed

Bump maximum header size to 4096 bytes#144
emersion wants to merge 2 commits intopires:mainfrom
emersion:bump-buf-size

Conversation

@emersion
Copy link
Contributor

@emersion emersion commented Feb 3, 2026

PP2_SUBTYPE_SSL_CLIENT_CERT is typically around 1 or 2 kilobytes.

@emersion
Bump maximum header size to 4096 bytes
3bbb3b4 
PP2_SUBTYPE_SSL_CLIENT_CERT is typically around 1 or 2 kilobytes.
@emersion
Add test for v2 header with TLV too large
1f6ba25 
This is important to check for security purposes: all TLVs are
buffered in memory, and we don't want clients to be able to cause
a DoS due to ENOMEM.
@emersion
Copy link
Contributor Author

emersion commented Feb 3, 2026

If we want to keep a conservative default, we could perhaps make this an option instead.

@emersion emersion mentioned this pull request Feb 3, 2026
Merged
@pires
Copy link
Owner

pires commented Feb 4, 2026
edited
Loading

This seems to address a similar issue to #123.

I think increasing the default buffer is a potentially dangerous thing to do as it will increase the upfront cost of accepting a connection therefore harming scalability, while simultaneously also make it easier for DoS'ing the overlying software. That said, maybe taking a peek, and grow approach that checks the length of the header (if present) and increasing the buffer accordingly is a better approach. WDYT @emersion @bollenberger?

UPDATE

I have opened #150 as an alternative to statically resizing the buffer as proposed here.

@pires pires self-assigned this Feb 4, 2026
@emersion
Copy link
Contributor Author

emersion commented Feb 4, 2026

I think there are two separate concerns here:

  • "increase the upfront cost of accepting a connection therefore harming scalability": indeed, bumping the bufio.Reader size to 4k increases the memory footprint of each connection. Getting rid of the Peek call would make it possible to read larger headers without allocating 4k upfront. I have a patch sitting in a local branch to do that, will update the PR accordingly shortly.
  • "make it easier for DoS'ing the overlying software": all TLVs are read into memory, so bumping the max header size to 4k will make it slightly easier to DoS a server. Do you think this concern warrants keeping the current 256 byte limit as default, and adding an option to bump it? I personally think 4k is still quite low so I think it would be fine to just use that limit by default, but I'd be fine with adding an option as well.

@pires pires mentioned this pull request Feb 4, 2026
Closed
@pires
Copy link
Owner

pires commented Feb 4, 2026

@emersion I have opened #150 as an alternative to statically resizing the buffer as proposed here.

@emersion emersion mentioned this pull request Feb 5, 2026
Merged
@emersion
Copy link
Contributor Author

emersion commented Feb 5, 2026

I've posted yet another alternative in #155.

@pires
Copy link
Owner

pires commented Feb 5, 2026

Closing in favor of #155.

@pires pires closed this Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@pires pires

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@emersion @pires