diff options
author | Anders Svensson <[email protected]> | 2015-03-25 07:21:46 +0100 |
---|---|---|
committer | Anders Svensson <[email protected]> | 2015-03-27 07:21:26 +0100 |
commit | 545ff7783cebddc2ca5b2af67a6f13b1a01a4d03 (patch) | |
tree | aa5ea245e6bd77ee5df12e61f682a3f5903e270e /lib/diameter/doc | |
parent | aaff5f36b836c65a72fb38a27e31a88d199a3155 (diff) | |
download | otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.tar.gz otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.tar.bz2 otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.zip |
Add service_opt() incoming_maxlen
To bound the length of incoming messages that will be decoded. A message
longer than the specified number of bytes is discarded. An
incoming_maxlen_exceeded counter is incremented to make note of the
occurrence.
The motivation is to prevent a sufficiently malicious peer from
generating significant load by sending long messages with many AVPs for
diameter to decode. The 24-bit message length header accomodates
(16#FFFFFF - 20) div 12 = 1398099
Unsigned32 AVPs for example, which the current record-valued decode is
too slow with in practice. A bound of 16#FFFF bytes allows for 5461
small AVPs, which is probably more than enough for the majority of
applications, but the default is the full 16#FFFFFF.
Diffstat (limited to 'lib/diameter/doc')
-rw-r--r-- | lib/diameter/doc/src/diameter.xml | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/lib/diameter/doc/src/diameter.xml b/lib/diameter/doc/src/diameter.xml index 37e67d8630..6e41b01c44 100644 --- a/lib/diameter/doc/src/diameter.xml +++ b/lib/diameter/doc/src/diameter.xml @@ -783,6 +783,27 @@ be matched by corresponding &capability; configuration, of </item> +<marker id="incoming_maxlen"/> +<tag><c>{incoming_maxlen, 0..16777215}</c></tag> +<item> +<p> +Bound on the expected size of incoming Diameter messages. +Messages larger than the specified number of bytes are discarded.</p> + +<p> +Defaults to <c>16777215</c>, the maximum value of the 24-bit Message +Length field in a Diameter Header.</p> + +<warning> +<p> +This option should be set to as low a value as is sufficient for the +Diameter applications and peers in question, since decoding incoming +messages from a malicious peer can otherwise generate significant +load.</p> +</warning> + +</item> + <tag><c>{restrict_connections, false | node | nodes |