[
https://issues.apache.org/jira/browse/HTTPCORE-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16182461#comment-16182461
]
Oleg Kalnichevski commented on HTTPCORE-491:
--------------------------------------------
@[~mheemskerk] Makes sense. We'll happily take a PR at Github ;)
Oleg
> BasicAsyncResponseConsumer can easily be tricked into triggering an OOME
> ------------------------------------------------------------------------
>
> Key: HTTPCORE-491
> URL: https://issues.apache.org/jira/browse/HTTPCORE-491
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore NIO
> Affects Versions: 4.4.6
> Reporter: Michael Heemskerk
>
> When using {{BasicAsyncResponseConsumer}} to consume a response, the consumer
> initializes its {{SimpleInputBuffer}} with the value reported on the
> response's {{Content-Length}} header.
> It's easy to spoof a response with a very large (but smaller than
> Integer.MAX_VALUE) {{Content-Length}} header and have the client pre-allocate
> a massive buffer, triggering an OOME.
> Since {{SimpleInputBuffer}} already expands-on-demand, it would be trivial to
> cap the initial buffer size to some reasonable limit (256k or even 1M)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
