Avro
  1. Avro
  2. AVRO-391

DoS possible on java rpc servers

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.0
    • Fix Version/s: None
    • Component/s: java
    • Labels:
      None
    • Environment:

      OpenJDK 1.6, Linux

      Description

      It is possible to crash an avro rpc server (java) by writing random strings to the socket:

      Try...
      echo "boom" | nc localhost 9160

      You get...
      java.lang.OutOfMemoryError: Java heap space
      at java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:57)
      at java.nio.ByteBuffer.allocate(ByteBuffer.java:329)
      at org.apache.avro.ipc.SocketTransceiver.readBuffers(SocketTransceiver.java:65)
      at org.apache.avro.ipc.SocketServer$Connection.run(SocketServer.java:91)
      at java.lang.Thread.run(Thread.java:636)

        Issue Links

          Activity

          Doug Cutting made changes -
          Field Original Value New Value
          Link This issue is related to AVRO-144 [ AVRO-144 ]
          Eric Evans created issue -

            People

            • Assignee:
              Unassigned
              Reporter:
              Eric Evans
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Development