Bela Ban created JGRP-2523:
------------------------------
Summary: Cap max data read by TcpConnection or NioConnection
Key: JGRP-2523
URL:
https://issues.redhat.com/browse/JGRP-2523
Project: JGroups
Issue Type: Feature Request
Reporter: Bela Ban
Assignee: Bela Ban
Fix For: 4.2.11, 5.1.3
Both NioConnection and TcpConnection read the length (4 bytes) first, then allocate a
buffer and call InputStream.readFully().
If some random client ({{nc}}, {{curl}}, {{wget}} etc)connects accidentally, {{length}}
might be huge and the memory allocation will fail with an OOME. This may even terminate
the JVM, e.g. if {{-XX:+ExitOnOutOfMemoryError}} is set.
Solution: introduce an attribute which caps the max length, and throws an exception
(closing the connection), avoiding reading the data. If 0, the length will not be capped.
--
This message was sent by Atlassian Jira
(v8.13.1#813001)