db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Embretsen <John.Embret...@Sun.COM>
Subject Re: Inserting data into a database on a Derby network server
Date Tue, 09 Oct 2007 07:42:24 GMT
Hi Ture,

Ture Munter wrote:
> For me this "minor" bug in my own code is not so bad as the uploaded program 
> is only used once (by myself) to insert all data in the database. But that 
> Derby can run out of memory if somebody forgets to close created statements is
> potentially a more serious bug. Of course it requires an attacker to first be 
> able to create a connection to the database server, and in that case he can do
> more interesting things than just making the server crash.

I would say making the server crash is quite interesting, especially when it is 
this easy...  Anyway, I was running a test a while ago that was containing code 
which resulted in similar errors. You may be interested in reading the related 
discussion that we had on this list almost two years ago, it's available at:


Let me quote myself:

"However, my main concern right now is that Derby is not robust enough to
handle code of this type without running out of memory within a
relatively short period of time. I guess that since (even) the DOTS
creators wrote such code, other Derby users may be inclined to do so in
the future."

Roughly speaking, two camps emerged during that discussion: Those who think that 
Derby should be able to withstand such code (e.g. not explicitly closing 
statement objects) if possible, and those who won't cut you any slack because 
this is not the recommended way to do it.

I didn't think it was this easy to fill up the heap (by not explicitly closing 
Statement objects) anymore (see e.g. DERBY-210), but there are obviously some 
vulnerabilities left. So thank you for sharing your code and for reporting this!


View raw message