On 07/10/2013 14:09, Konstantin Preißer wrote: > Hi Mark, > thank you for your reply. > >> -----Original Message----- >> From: Mark Thomas [mailto:ma...@apache.org] >> Sent: Monday, October 7, 2013 2:50 PM >> To: Tomcat Developers List >> Subject: Re: 8.0.x / 7.0.x progress > >>> However, it seems when the websocket message is greater than ~ 8 KB >>> (perhaps the value of org.apache.tomcat.websocket.textBufferSize) >>> then Tomcat does not call the @OnMessage method, and sometimes it >>> closes the websocket connection. This happens for BIO and NIO (I >>> haven't checked with APR). The Javadoc for @OnMessage says that for >>> "maxMessageSize" element: "Specifies the maximum size of message in >>> bytes that the method this annotates will be able to process, or -1 >>> to indicate that there is no maximum. The default is -1." So, >>> normally Tomcat should be able to receive such large messages, >>> right? >> >> Only if the endpoint supports partial messages. If partial messages are >> not supported the connection should be closed with an error message. > > Hmm. But ... :) > > The complete javadoc for "maxMessageSize" [1] reads: > > "Specifies the maximum size of message in bytes that the method this > annotates will be able to process, or -1 to indicate that there is no > maximum. The default is -1. This attribute only applies when the annotation > is used to process *whole messages*, not to those methods that process > messages in parts or use a stream or reader parameter to handle the incoming > message. If the incoming whole message exceeds this limit, then the > implementation generates an error and closes the connection using the reason > that the message was too big." > > To me this reads that by default (value = -1), there is no limit when > processing whole messages, so I think Tomcat should handle such large > messages when not using methods to read partial messages. > > Am I missing something?
DoS via a single large message that triggers an OOME. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
