[ https://issues.apache.org/jira/browse/HTTPCORE-491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16184684#comment-16184684 ]
ASF subversion and git services commented on HTTPCORE-491: ---------------------------------------------------------- Commit c70174b337b9d5e79e8811acfe4794582ba880f8 in httpcomponents-core's branch refs/heads/4.4.x from [~garydgregory] [ https://git-wip-us.apache.org/repos/asf?p=httpcomponents-core.git;h=c70174b ] * HTTPCORE-491 Make BasicAsyncRequest|ResponseConsumer more paranoid Contributed by Michael Heemskerk <mheemsk...@atlassian.com> > BasicAsyncResponseConsumer can easily be tricked into triggering an OOME > ------------------------------------------------------------------------ > > Key: HTTPCORE-491 > URL: https://issues.apache.org/jira/browse/HTTPCORE-491 > Project: HttpComponents HttpCore > Issue Type: Bug > Components: HttpCore NIO > Affects Versions: 4.4.7 > Reporter: Michael Heemskerk > Fix For: 4.4.8 > > > When using {{BasicAsyncResponseConsumer}} to consume a response, the consumer > initializes its {{SimpleInputBuffer}} with the value reported on the > response's {{Content-Length}} header. > It's easy to spoof a response with a very large (but smaller than > Integer.MAX_VALUE) {{Content-Length}} header and have the client pre-allocate > a massive buffer, triggering an OOME. > Since {{SimpleInputBuffer}} already expands-on-demand, it would be trivial to > cap the initial buffer size to some reasonable limit (256k or even 1M) -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org