From 9f4c120731c6135b0fe04503cd64fa2846a011ae Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Mon, 11 Jun 2018 19:51:38 +0200 Subject: [PATCH] limit memory allocations during multiple object deletion (#6033) This commit limits the amount of memory allocated by the S3 Multi-Object-Delete-API. The server used to allocate as many bytes as provided by the client using Content-Length. S3 specifies that the S3 Multi-Object-Delete-API can delete at most 1000 objects using a single request. (See: https://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html) Since the maximum S3 object name is limited to 1024 bytes the XML body sent by the client can only contain up to 1000 * 1024 bytes (excluding XML format overhead). This commit limits the size of the parsed XML for the S3 Multi-Object-Delete-API to 2 MB. This fixes a DoS vulnerability since (auth.) clients, MitM-adversaries (without TLS) and un-auth. users accessing buckets allowing multi-delete by policy can kill the server. This behavior is similar to the AWS-S3 implementation. --- cmd/bucket-handlers.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go index 3107d2b9c..cff3fa9e1 100644 --- a/cmd/bucket-handlers.go +++ b/cmd/bucket-handlers.go @@ -282,7 +282,13 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter, } // Allocate incoming content length bytes. - deleteXMLBytes := make([]byte, r.ContentLength) + var deleteXMLBytes []byte + const maxBodySize = 2 * 1000 * 1024 // The max. XML contains 1000 object names (each at most 1024 bytes long) + XML overhead + if r.ContentLength > maxBodySize { // Only allocated memory for at most 1000 objects + deleteXMLBytes = make([]byte, maxBodySize) + } else { + deleteXMLBytes = make([]byte, r.ContentLength) + } // Read incoming body XML bytes. if _, err := io.ReadFull(r.Body, deleteXMLBytes); err != nil {