limit memory allocations during multiple object deletion (#6033)

This commit limits the amount of memory allocated by the S3 Multi-Object-Delete-API. The server used to allocate as many bytes as provided by the client using Content-Length. S3 specifies that the S3 Multi-Object-Delete-API can delete at most 1000 objects using a single request. (See: https://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html) Since the maximum S3 object name is limited to 1024 bytes the XML body sent by the client can only contain up to 1000 * 1024 bytes (excluding XML format overhead). This commit limits the size of the parsed XML for the S3 Multi-Object-Delete-API to 2 MB. This fixes a DoS vulnerability since (auth.) clients, MitM-adversaries (without TLS) and un-auth. users accessing buckets allowing multi-delete by policy can kill the server. This behavior is similar to the AWS-S3 implementation.
7 years ago · 9f4c120731
parent 12a916091e
commit 9f4c120731
1 changed files with 7 additions and 1 deletions
--- a/cmd/bucket-handlers.go
+++ b/cmd/bucket-handlers.go
@ -282,7 +282,13 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter,
 	}

 	// Allocate incoming content length bytes.
-	deleteXMLBytes := make([]byte, r.ContentLength)
+	var deleteXMLBytes []byte
+	const maxBodySize = 2 * 1000 * 1024 // The max. XML contains 1000 object names (each at most 1024 bytes long) + XML overhead
+	if r.ContentLength > maxBodySize {  // Only allocated memory for at most 1000 objects
+		deleteXMLBytes = make([]byte, maxBodySize)
+	} else {
+		deleteXMLBytes = make([]byte, r.ContentLength)
+	}

 	// Read incoming body XML bytes.
 	if _, err := io.ReadFull(r.Body, deleteXMLBytes); err != nil {