You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Konstantinos Pistopoulos (JIRA)" <ji...@apache.org> on 2017/02/10 14:51:41 UTC
[jira] [Updated] (AMQ-6596) Out Of Memory error reported on ActiveMQ client during openwire unmarshalling

     [ https://issues.apache.org/jira/browse/AMQ-6596?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Konstantinos Pistopoulos updated AMQ-6596:
------------------------------------------
    Attachment: packet.raw

Please find attached the packet that was responsible for this behavior (packet.raw)

> Out Of Memory error reported on ActiveMQ client during openwire unmarshalling
> -----------------------------------------------------------------------------
>
>                 Key: AMQ-6596
>                 URL: https://issues.apache.org/jira/browse/AMQ-6596
>             Project: ActiveMQ
>          Issue Type: Bug
>          Components: Broker, JMS client, Transport
>    Affects Versions: 5.13.0, 5.13.5, 5.14.3
>         Environment: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3
>            Reporter: Konstantinos Pistopoulos
>         Attachments: packet.raw
>
>
> ActiveMQ crashes during a vulnerability scanning using Qualys vulnerability scanner.
> {code}
> 2017-02-10 14:30:18,631 [0.1:55345@61616] WARN  Transport                      - Transport Connection to: tcp://127.0.0.1:55345 failed: java.io.IOException: Unexpected error occurred: java.lang.OutOfMemoryError: Java heap space
> {code}
> This OOM error is caused due to an attempt to initialize a huge byte array of 2131230728 bytes size. The problem still occurs even if we define the maxFrameSize to 100MB. 
> It seems that the first comparison with the maxFrameSize is successful (method unmarshal) but in the later evaluation of dataIn.readInt() in method  looseUnmarshalByteSequence, a huge value is evaluated (2131230728 bytes)
> {code}
> @Override
>     public Object unmarshal(DataInput dis) throws IOException {
>         DataInput dataIn = dis;
>         if (!sizePrefixDisabled) {
>             int size = dis.readInt();
>             if (size > maxFrameSize) {
>                 throw IOExceptionSupport.createFrameSizeException(size, maxFrameSize);
>             }
>             // int size = dis.readInt();
>             // byte[] data = new byte[size];
>             // dis.readFully(data);
>             // bytesIn.restart(data);
>             // dataIn = bytesIn;
>         }
>         return doUnmarshal(dataIn);
>     }
> {code}
> {code}
>     protected ByteSequence looseUnmarshalByteSequence(DataInput dataIn) throws IOException {
>         ByteSequence rc = null;
>         if (dataIn.readBoolean()) {
>             int size = dataIn.readInt();
>             byte[] t = new byte[size];
>             dataIn.readFully(t);
>             rc = new ByteSequence(t, 0, size);
>         }
>         return rc;
>     }
> {code}
> Relevant parts of the thread dump can be found below:
> {code}
> WARNING : OutOfMemoryError possibly caused by 2131230728 bytes requested for object of class 081A5700 from memory space 'Flat' id=080B1898
> {code}
> {code}
> Thread Name
> ActiveMQ Transport: tcp:///10.4.240.10:55345@61616
> State
> Runnable
> Java Stack
> at org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.looseUnmarshalByteSequence(BaseDataStreamMarshaller.java:638) 
> at org/apache/activemq/openwire/v12/WireFormatInfoMarshaller.looseUnmarshal(WireFormatInfoMarshaller.java:132) 
> at org/apache/activemq/openwire/OpenWireFormat.doUnmarshal(OpenWireFormat.java:367(Compiled Code)) 
> at org/apache/activemq/openwire/OpenWireFormat.unmarshal(OpenWireFormat.java:278(Compiled Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.readCommand(TcpTransport.java:240(Compiled Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.doRun(TcpTransport.java:232(Compiled Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.run(TcpTransport.java:215) 
> at java/lang/Thread.run(Thread.java:863)
> {code}
> The definition of the transportConnector without the definition of the maxFrameSize is the following :
> {code}
>         <transportConnectors>
>             <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
>         </transportConnectors>
> {code}
> The definition of the transportConnector after the definition of the maxFrameSize  :
> {code}
>  <transportConnectors>
>       <transportConnector name="openwire" uri="tcp://0.0.0.0:61616?wireFormat.maxFrameSize=104857600"/>
>     </transportConnectors>
> {code}
> We have reproduced this with versions 5.13.0, 5.13.5 and 5.14.3 but this problem is probably related to other versions too.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)