Uploaded image for project: 'Apache Avro'
  1. Apache Avro
  2. AVRO-391

DoS possible on java rpc servers

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.3.0
    • None
    • java
    • None

    • OpenJDK 1.6, Linux

    Description

      It is possible to crash an avro rpc server (java) by writing random strings to the socket:

      Try...
      echo "boom" | nc localhost 9160

      You get...
      java.lang.OutOfMemoryError: Java heap space
      at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
      at java.nio.ByteBuffer.allocate(ByteBuffer.java:329)
      at org.apache.avro.ipc.SocketTransceiver.readBuffers(SocketTransceiver.java:65)
      at org.apache.avro.ipc.SocketServer$Connection.run(SocketServer.java:91)
      at java.lang.Thread.run(Thread.java:636)

      Attachments

        Issue Links

          is related to

          Test - A new unit, integration or system test. AVRO-144 add random RPC request tests

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              urandom Eric Evans
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: