sweep: #8028 fix (Core): limit read to TLS payload size

chaen · web-flow · commit 6d9e59d3e3e8 · 2025-02-04T10:59:52.000Z
diff --git a/src/DIRAC/Core/DISET/private/Transports/BaseTransport.py b/src/DIRAC/Core/DISET/private/Transports/BaseTransport.py
@@ -17,6 +17,7 @@
 
 Client <- Service        : Close
 """
+
 import time
 from io import BytesIO
 from hashlib import md5
@@ -27,6 +28,9 @@
 from DIRAC.FrameworkSystem.Client.Logger import gLogger
 from DIRAC.Core.Utilities import MixedEncode
 
+# https://datatracker.ietf.org/doc/html/rfc8446#section-5.1
+TLS_PAYLOAD_SIZE = 16384
+
 
 class BaseTransport:
     """Invokes MixedEncode for marshaling/unmarshaling of data calls in transit"""
@@ -198,7 +202,7 @@ def receiveData(self, maxBufferSize=0, blockAfterKeepAlive=True, idleReceive=Fal
             isKeepAlive = self.byteStream.find(BaseTransport.keepAliveMagic, 0, keepAliveMagicLen) == 0
             # While not found the message length or the ka, keep receiving
             while iSeparatorPosition == -1 and not isKeepAlive:
-                retVal = self._read(16384)
+                retVal = self._read(TLS_PAYLOAD_SIZE)
                 # If error return
                 if not retVal["OK"]:
                     return retVal
@@ -225,6 +229,7 @@ def receiveData(self, maxBufferSize=0, blockAfterKeepAlive=True, idleReceive=Fal
             pkgSize = int(self.byteStream[:iSeparatorPosition])
             pkgData = self.byteStream[iSeparatorPosition + 1 :]
             readSize = len(pkgData)
+
             if readSize >= pkgSize:
                 # If we already have all the data we need
                 data = pkgData[:pkgSize]
@@ -235,7 +240,7 @@ def receiveData(self, maxBufferSize=0, blockAfterKeepAlive=True, idleReceive=Fal
                 pkgMem.write(pkgData)
                 # Receive while there's still data to be received
                 while readSize < pkgSize:
-                    retVal = self._read(pkgSize - readSize, skipReadyCheck=True)
+                    retVal = self._read(min(TLS_PAYLOAD_SIZE, pkgSize - readSize), skipReadyCheck=True)
                     if not retVal["OK"]:
                         return retVal
                     if not retVal["Value"]:
diff --git a/src/DIRAC/Core/DISET/private/Transports/M2SSLTransport.py b/src/DIRAC/Core/DISET/private/Transports/M2SSLTransport.py
@@ -493,7 +493,8 @@ def _write(self, buf):
             # And writting on a socket that received an RST packet
             # triggers a SIGPIPE.
             # In practice, this means that if the server replies to a
-            # dead client with less that 16384 bytes (see),
+            # dead client with less that 16384 bytes
+            # (see https://datatracker.ietf.org/doc/html/rfc8446#section-5.1),
             # we will never notice that we sent the answer to the vacuum.
             # And don't look for a fix, there just isn't.
             wrote = self.oSocket.write(buf)
