Re: iSCSI: Text request/response spanning - security issue?

["Mallikarjun C." <cbm@rose.hp.com>]

> This isn't a timeout issue at all

Okay, I guess I was sidetracked by "wait indefinitely " in 
your note.

> and none of them may have a 0x00 in it's payload

Since we define the max key size in chapter 4, I take it
that you are concerned about very long lists causing buffer
overruns even while each of the options being within legal size
limits?  I haven't checked the draft, but it appears that this
may need clarification.
--
Mallikarjun

Mallikarjun Chadalapaka
Networked Storage Architecture
Network Storage Solutions Organization
Hewlett-Packard MS 5668 
Roseville CA 95747
cbm@rose.hp.com

----- Original Message ----- 
From: "Luben Tuikov" <luben@splentec.com>
To: "Mallikarjun C." <cbm@rose.hp.com>
Cc: "iSCSI" <ips@ece.cmu.edu>
Sent: Thursday, March 28, 2002 5:40 PM
Subject: Re: iSCSI: Text request/response spanning - security issue?


> "Mallikarjun C." wrote:
> >
> > The expectation is that implementations will set the right timeouts
> > to detect and get out of these conditions.  The state transitions
> > (chapter 5) allow these timeouts as legal events that could cause a
> > Login failure.  Also take a look at section 6.8, which deals with
> > timeouts in text negotiations.
> 
> This isn't a timeout issue at all (but it is a DoS attack).
> 
> The Text Requests can come at the right time,
> and none of them may have a 0x00 in it's payload
> to indicate end of key=value pair. This will
> drain the node's memory.
> 
> There needs to be a limitaion (somehow) on how long
> a key=value could ever be (spanning or not).
> Negotiated or not.
> 
> "Buffer overrun" rings a bell.
> 
> -- 
> Luben
>