Michael Heemskerk created HTTPCORE-491:
------------------------------------------
Summary: BasicAsyncResponseConsumer can easily be tricked into
triggering an OOME
Key: HTTPCORE-491
URL: https://issues.apache.org/jira/browse/HTTPCORE-491
Project: HttpComponents HttpCore
Issue Type: Bug
Components: HttpCore NIO
Affects Versions: 4.4.6
Reporter: Michael Heemskerk
When using {{BasicAsyncResponseConsumer}} to consume a response, the consumer
initializes its {{SimpleInputBuffer}} with the value reported on the response's
{{Content-Length}} header.
It's easy to spoof a response with a very large (but smaller than
Integer.MAX_VALUE) {{Content-Length}} header and have the client pre-allocate a
massive buffer, triggering an OOME.
Since {{SimpleInputBuffer}} already expands-on-demand, it would be trivial to
cap the initial buffer size to some reasonable limit (256k or even 1M)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
