You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "Eric Evans (JIRA)" <ji...@apache.org> on 2010/02/01 18:52:18 UTC

[jira] Created: (AVRO-391) DoS possible on java rpc servers

DoS possible on java rpc servers
--------------------------------

                 Key: AVRO-391
                 URL: https://issues.apache.org/jira/browse/AVRO-391
             Project: Avro
          Issue Type: Bug
          Components: java
    Affects Versions: 1.3.0
         Environment: OpenJDK 1.6, Linux
            Reporter: Eric Evans


It is possible to crash an avro rpc server (java) by writing random strings to the socket:

Try... 
echo "boom" | nc localhost 9160

You get...
java.lang.OutOfMemoryError: Java heap space
	at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
	at java.nio.ByteBuffer.allocate(ByteBuffer.java:329)
	at org.apache.avro.ipc.SocketTransceiver.readBuffers(SocketTransceiver.java:65)
	at org.apache.avro.ipc.SocketServer$Connection.run(SocketServer.java:91)
	at java.lang.Thread.run(Thread.java:636)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (AVRO-391) DoS possible on java rpc servers

Posted by "Jeff Hodges (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/AVRO-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12853347#action_12853347 ] 

Jeff Hodges commented on AVRO-391:
----------------------------------

c.f. THRIFT-601.

> DoS possible on java rpc servers
> --------------------------------
>
>                 Key: AVRO-391
>                 URL: https://issues.apache.org/jira/browse/AVRO-391
>             Project: Avro
>          Issue Type: Bug
>          Components: java
>    Affects Versions: 1.3.0
>         Environment: OpenJDK 1.6, Linux
>            Reporter: Eric Evans
>
> It is possible to crash an avro rpc server (java) by writing random strings to the socket:
> Try... 
> echo "boom" | nc localhost 9160
> You get...
> java.lang.OutOfMemoryError: Java heap space
> 	at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
> 	at java.nio.ByteBuffer.allocate(ByteBuffer.java:329)
> 	at org.apache.avro.ipc.SocketTransceiver.readBuffers(SocketTransceiver.java:65)
> 	at org.apache.avro.ipc.SocketServer$Connection.run(SocketServer.java:91)
> 	at java.lang.Thread.run(Thread.java:636)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.