Uploaded image for project: 'Apache Arrow'
  1. Apache Arrow
  2. ARROW-11559

[C++] Improve flatbuffers verification limits

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 4.0.0
    • C++

    Description

      See discussion in https://github.com/apache/arrow/pull/9349#issuecomment-775295349 :

      Flatbuffers is able to encode a virtually unbounded of schema fields in a small buffer size. Verifying that many fields with the Flatbuffers verifier seems to result in potentially unlimited verification times, which is a denial of service risk.

      The way to mitigate this risk is to pass an appropriate max_tables and/or max_depth limit to the Flatbuffers verifier.

      Attachments

        Issue Links

          Activity

            People

              apitrou Antoine Pitrou
              apitrou Antoine Pitrou
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h