ericz
commented
13 years ago Hey tom,
Yes this is a fix that we should be implementing ("validate incoming streams" and kill it if it is sending too much data to prevent overuse of server resources).
If you made a function call with a giant amount of parameter data, this won't be synchronous however because the transfer of that data and storing it in memory on the server is all asynchronous. The server will not wait synchronously for the parameters of a function to load fully. That function will simply be called after all data is loaded into memory. The only process there that is synchronous is the deserialization, which may be a problem.
However the issue is still that the memory can be swamped as that data WILL be stored in memory.
Excellent point. I didn't think of this method in our previous discussions.
If a client calls a remote function on the server, there is no way to interrupt this stream of data from the client to the server.
In essence, a function call acts "synchronous" because the server waits for the clients to finish sending all parameters and then executes it on the server.
This means that a client can send huge piles of data within a function to a server, causing the stream to take up way too many resources and be too time intensive.
Thus, it has to be possible to validate incoming streams and be able to kill the connection if too much data is being send.