diff options
| author | Anders Svensson <[email protected]> | 2015-03-25 07:21:46 +0100 |
|---|---|---|
| committer | Anders Svensson <[email protected]> | 2015-03-27 07:21:26 +0100 |
| commit | 545ff7783cebddc2ca5b2af67a6f13b1a01a4d03 (patch) | |
| tree | aa5ea245e6bd77ee5df12e61f682a3f5903e270e /lib/diameter/src/base/diameter_service.erl | |
| parent | aaff5f36b836c65a72fb38a27e31a88d199a3155 (diff) | |
| download | otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.tar.gz otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.tar.bz2 otp-545ff7783cebddc2ca5b2af67a6f13b1a01a4d03.zip | |
Add service_opt() incoming_maxlen
To bound the length of incoming messages that will be decoded. A message
longer than the specified number of bytes is discarded. An
incoming_maxlen_exceeded counter is incremented to make note of the
occurrence.
The motivation is to prevent a sufficiently malicious peer from
generating significant load by sending long messages with many AVPs for
diameter to decode. The 24-bit message length header accomodates
(16#FFFFFF - 20) div 12 = 1398099
Unsigned32 AVPs for example, which the current record-valued decode is
too slow with in practice. A bound of 16#FFFF bytes allows for 5461
small AVPs, which is probably more than enough for the majority of
applications, but the default is the full 16#FFFFFF.
Diffstat (limited to 'lib/diameter/src/base/diameter_service.erl')
| -rw-r--r-- | lib/diameter/src/base/diameter_service.erl | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/diameter/src/base/diameter_service.erl b/lib/diameter/src/base/diameter_service.erl index a01bcdd4e7..86e744dfbe 100644 --- a/lib/diameter/src/base/diameter_service.erl +++ b/lib/diameter/src/base/diameter_service.erl @@ -131,7 +131,8 @@ | {share_peers, diameter:remotes()} %% broadcast to | {use_shared_peers, diameter:remotes()} %% use from | {restrict_connections, diameter:restriction()} - | {string_decode, boolean()}]}). + | {string_decode, boolean()} + | {incoming_maxlen, diameter:message_length()}]}). %% shared_peers reflects the peers broadcast from remote nodes. %% Record representing an RFC 3539 watchdog process implemented by @@ -698,7 +699,8 @@ service_options(Opts) -> Opts, ?RESTRICT)}, {spawn_opt, proplists:get_value(spawn_opt, Opts, [])}, - {string_decode, proplists:get_value(string_decode, Opts, true)}]. + {string_decode, proplists:get_value(string_decode, Opts, true)}, + {incoming_maxlen, proplists:get_value(incoming_maxlen, Opts, 16#FFFFFF)}]. %% The order of options is significant since we match against the list. mref(false = No) -> |