tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: 8.0.x / 7.0.x progress
Date Mon, 07 Oct 2013 13:53:16 GMT
On 07/10/2013 14:09, Konstantin Prei├čer wrote:
> Hi Mark,
> thank you for your reply.
> 
>> -----Original Message-----
>> From: Mark Thomas [mailto:markt@apache.org]
>> Sent: Monday, October 7, 2013 2:50 PM
>> To: Tomcat Developers List
>> Subject: Re: 8.0.x / 7.0.x progress
> 
>>> However, it seems when the websocket message is greater than ~ 8 KB
>>> (perhaps the value of org.apache.tomcat.websocket.textBufferSize)
>>> then Tomcat does not call the @OnMessage method, and sometimes it
>>> closes the websocket connection. This happens for BIO and NIO (I
>>> haven't checked with APR). The Javadoc for @OnMessage says that for
>>> "maxMessageSize" element: "Specifies the maximum size of message in
>>> bytes that the method this annotates will be able to process, or -1
>>> to indicate that there is no maximum. The default is -1." So,
>>> normally Tomcat should be able to receive such large messages,
>>> right?
>>
>> Only if the endpoint supports partial messages. If partial messages are
>> not supported the connection should be closed with an error message.
> 
> Hmm. But ...   :)
> 
> The complete javadoc for "maxMessageSize" [1] reads:
> 
> "Specifies the maximum size of message in bytes that the method this annotates will be
able to process, or -1 to indicate that there is no maximum. The default is -1. This attribute
only applies when the annotation is used to process *whole messages*, not to those methods
that process messages in parts or use a stream or reader parameter to handle the incoming
message. If the incoming whole message exceeds this limit, then the implementation generates
an error and closes the connection using the reason that the message was too big."
> 
> To me this reads that by default (value = -1), there is no limit when processing whole
messages, so I think Tomcat should handle such large messages when not using methods to read
partial messages.
> 
> Am I missing something?

DoS via a single large message that triggers an OOME.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message