You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Clement Pellerin (JIRA)" <ji...@apache.org> on 2016/09/01 20:56:20 UTC
[jira] [Issue Comment Deleted] (AVRO-1610) HttpTransceiver.java
allocates arbitrary amount of memory
[ https://issues.apache.org/jira/browse/AVRO-1610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Clement Pellerin updated AVRO-1610:
-----------------------------------
Comment: was deleted
(was: Reporter (clement_pellerin@ibi.com) does not have permission to create attachments in project AVRO. Following attachments found in the email have been discarded:
- avro1610.patch)
> HttpTransceiver.java allocates arbitrary amount of memory
> ---------------------------------------------------------
>
> Key: AVRO-1610
> URL: https://issues.apache.org/jira/browse/AVRO-1610
> Project: Avro
> Issue Type: Bug
> Components: java
> Affects Versions: 1.7.7
> Reporter: Philip Zeyliger
>
> In {{HttpTransceiver.java}}, Avro does:
> {code}
> int length = (in.read()<<24)+(in.read()<<16)+(in.read()<<8)+in.read();
> if (length == 0) { // end of buffers
> return buffers;
> }
> ByteBuffer buffer = ByteBuffer.allocate(length);
> {code}
> This means that badly formatted input (like that produced by {{curl http://host/ --data foo}} and many common security scanners) will trigger an OutOfMemory exception. This is undesirable, especially combined with setups that kill the process on out of memory exceptions.
> This bug is similar in spirit to AVRO-1111.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)