[jira] [Commented] (AMQ-6596) Out Of Memory error reported on ActiveMQ client during openwire unmarshalling

Fri, 07 Feb 2020 02:44:48 -0800 


    [ 
https://issues.apache.org/jira/browse/AMQ-6596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032287#comment-17032287
 ] 

Marcin commented on AMQ-6596:
-----------------------------

Hi,

I face same issue and I think problem is quite obvious.

To check size we are reading first int from stream but to create buffer we are 
reading next int.

So if first int is below 100Mb but second if bigger you will create buffer 
bigger that your limit and you can get oom.

> Out Of Memory error reported on ActiveMQ client during openwire unmarshalling
> -----------------------------------------------------------------------------
>
>                 Key: AMQ-6596
>                 URL: https://issues.apache.org/jira/browse/AMQ-6596
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker, JMS client, Transport
>    Affects Versions: 5.13.0, 5.13.5, 5.14.3
>         Environment: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, 
> PATCHLEVEL = 3. Java Runtime: IBM Corporation 1.7.0 
>            Reporter: Konstantinos Pistopoulos
>            Priority: Critical
>         Attachments: packet.raw
>
>
> ActiveMQ crashes during a vulnerability scanning using Qualys vulnerability 
> scanner.
> {code}
> 2017-02-10 14:30:18,631 [0.1:55345@61616] WARN  Transport                     
>  - Transport Connection to: tcp://127.0.0.1:55345 failed: 
> java.io.IOException: Unexpected error occurred: java.lang.OutOfMemoryError: 
> Java heap space
> {code}
> This OOM error is caused due to an attempt to initialize a huge byte array of 
> 2131230728 bytes size. The problem still occurs even if we define the 
> maxFrameSize to 100MB. 
> It seems that the first comparison with the maxFrameSize is successful 
> (method unmarshal) but in the later evaluation of dataIn.readInt() in method  
> looseUnmarshalByteSequence, a huge value is evaluated (2131230728 bytes)
> {code}
> @Override
>     public Object unmarshal(DataInput dis) throws IOException {
>         DataInput dataIn = dis;
>         if (!sizePrefixDisabled) {
>             int size = dis.readInt();
>             if (size > maxFrameSize) {
>                 throw IOExceptionSupport.createFrameSizeException(size, 
> maxFrameSize);
>             }
>             // int size = dis.readInt();
>             // byte[] data = new byte[size];
>             // dis.readFully(data);
>             // bytesIn.restart(data);
>             // dataIn = bytesIn;
>         }
>         return doUnmarshal(dataIn);
>     }
> {code}
> {code}
>     protected ByteSequence looseUnmarshalByteSequence(DataInput dataIn) 
> throws IOException {
>         ByteSequence rc = null;
>         if (dataIn.readBoolean()) {
>             int size = dataIn.readInt();
>             byte[] t = new byte[size];
>             dataIn.readFully(t);
>             rc = new ByteSequence(t, 0, size);
>         }
>         return rc;
>     }
> {code}
> Relevant parts of the thread dump can be found below:
> {code}
> WARNING : OutOfMemoryError possibly caused by 2131230728 bytes requested for 
> object of class 081A5700 from memory space 'Flat' id=080B1898
> {code}
> {code}
> Thread Name
> ActiveMQ Transport: tcp:///10.4.240.10:55345@61616
> State
> Runnable
> Java Stack
> at 
> org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.looseUnmarshalByteSequence(BaseDataStreamMarshaller.java:638)
>  
> at 
> org/apache/activemq/openwire/v12/WireFormatInfoMarshaller.looseUnmarshal(WireFormatInfoMarshaller.java:132)
>  
> at 
> org/apache/activemq/openwire/OpenWireFormat.doUnmarshal(OpenWireFormat.java:367(Compiled
>  Code)) 
> at 
> org/apache/activemq/openwire/OpenWireFormat.unmarshal(OpenWireFormat.java:278(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.readCommand(TcpTransport.java:240(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.doRun(TcpTransport.java:232(Compiled
>  Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.run(TcpTransport.java:215) 
> at java/lang/Thread.run(Thread.java:863)
> {code}
> The definition of the transportConnector without the definition of the 
> maxFrameSize is the following :
> {code}
>         <transportConnectors>
>             <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
>         </transportConnectors>
> {code}
> The definition of the transportConnector after the definition of the 
> maxFrameSize  :
> {code}
>  <transportConnectors>
>       <transportConnector name="openwire" 
> uri="tcp://0.0.0.0:61616?wireFormat.maxFrameSize=104857600"/>
>     </transportConnectors>
> {code}
> We have reproduced this with versions 5.13.0, 5.13.5 and 5.14.3 but this 
> problem is probably related to other versions too.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to