Why is it inherently 'madness' to have part of your HTTP stack running in kernel... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jameshart on April 16, 2015 \| parent \| context \| favorite \| on: Remote Kernel Code Execution Via HTTP Request In I... Why is it inherently 'madness' to have part of your HTTP stack running in kernel space? I think it's generally accepted that handling TCP in the kernel isn't madness; what's the magic distinction between dealing with TCP packets from remote machines and dealing with HTTP requests from remote machines that makes one of them an acceptable activity to carry out in kernel space, and one not? To be clear about http.sys, it's not what you would normally consider a 'web server'. It leaves things like 'serving files' and 'authentication' and stuff up to userland application processes like IIS. But it allows multiple userland applications to be routed HTTP requests directly, without an IPC dispatch.

TheLoneWolfling on April 16, 2015 [–]

It's the amount of complexity, i.e. the number of things to go wrong.

Handling TCP/IP in the kernel requires substantially less complexity than handling HTTP/TCP/IP.

And even then, there are efforts (GNU Hurd, for instance) to push things like TCP out of the kernel level.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact