Hi Ture,
Ture Munter wrote:
For me this "minor" bug in my own code is not so bad as the uploaded program
is only used once (by myself) to insert all data in the database. But that
Derby can run out of memory if somebody forgets to close created statements is
potentially a more serious bug. Of course it requires an attacker to first be
able to create a connection to the database server, and in that case he can do
more interesting things than just making the server crash.
I would say making the server crash is quite interesting, especially when it is
this easy... Anyway, I was running a test a while ago that was containing code
which resulted in similar errors. You may be interested in reading the related
discussion that we had on this list almost two years ago, it's available at:
http://www.nabble.com/OutOfMemoryErrors-when-testing-Derby-with-DOTS-t1010027.html
Let me quote myself:
"However, my main concern right now is that Derby is not robust enough to
handle code of this type without running out of memory within a
relatively short period of time. I guess that since (even) the DOTS
creators wrote such code, other Derby users may be inclined to do so in
the future."
Roughly speaking, two camps emerged during that discussion: Those who think that
Derby should be able to withstand such code (e.g. not explicitly closing
statement objects) if possible, and those who won't cut you any slack because
this is not the recommended way to do it.
I didn't think it was this easy to fill up the heap (by not explicitly closing
Statement objects) anymore (see e.g. DERBY-210), but there are obviously some
vulnerabilities left. So thank you for sharing your code and for reporting this!
--
John
