hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Heemskerk (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCORE-491) BasicAsyncResponseConsumer can easily be tricked into triggering an OOME
Date Wed, 27 Sep 2017 11:28:00 GMT
Michael Heemskerk created HTTPCORE-491:
------------------------------------------

             Summary: BasicAsyncResponseConsumer can easily be tricked into triggering an
OOME
                 Key: HTTPCORE-491
                 URL: https://issues.apache.org/jira/browse/HTTPCORE-491
             Project: HttpComponents HttpCore
          Issue Type: Bug
          Components: HttpCore NIO
    Affects Versions: 4.4.6
            Reporter: Michael Heemskerk


When using {{BasicAsyncResponseConsumer}} to consume a response, the consumer initializes
its {{SimpleInputBuffer}} with the value reported on the response's {{Content-Length}} header.

It's easy to spoof a response with a very large (but smaller than Integer.MAX_VALUE) {{Content-Length}}
header and have the client pre-allocate a massive buffer, triggering an OOME.

Since {{SimpleInputBuffer}} already expands-on-demand, it would be trivial to cap the initial
buffer size to some reasonable limit (256k or even 1M) 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message