Philip Zeyliger created AVRO-1610:
-------------------------------------
Summary: HttpTransceiver.java allocates arbitrary amount of memory
Key: AVRO-1610
URL: https://issues.apache.org/jira/browse/AVRO-1610
Project: Avro
Issue Type: Bug
Components: java
Affects Versions: 1.7.7
Reporter: Philip Zeyliger
In {{HttpTransceiver.java}}, Avro does:
{code}
int length = (in.read()<<24)+(in.read()<<16)+(in.read()<<8)+in.read();
if (length == 0) { // end of buffers
return buffers;
}
ByteBuffer buffer = ByteBuffer.allocate(length);
{code}
This means that badly formatted input (like that produced by {{curl
http://host/ --data foo}} and many common security scanners) will trigger an
OutOfMemory exception. This is undesirable, especially combined with setups
that kill the process on out of memory exceptions.
This bug is similar in spirit to AVRO-1111.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
