[jira] [Commented] (AMQ-6596) Out Of Memory error reported on ActiveMQ client during openwire unmarshalling

[ASF subversion and git services (Jira)]

    [ 
https://issues.apache.org/jira/browse/AMQ-6596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17930410#comment-17930410
 ] 

ASF subversion and git services commented on AMQ-6596:
------------------------------------------------------

Commit fc4372b9f0f72b8b5eed917f0019c5cea45c5d06 in activemq's branch 
refs/heads/main from Christopher L. Shannon
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=fc4372b9f0 ]

Merge pull request #1399 from cshannon/buffer-validation

AMQ-6596 - Validate size of buffers during unmarshalling

> Out Of Memory error reported on ActiveMQ client during openwire unmarshalling
> -----------------------------------------------------------------------------
>
>                 Key: AMQ-6596
>                 URL: https://issues.apache.org/jira/browse/AMQ-6596
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>          Components: Broker, JMS client, Transport
>    Affects Versions: 5.13.0, 5.13.5, 5.14.3
>         Environment: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, 
> PATCHLEVEL = 3. Java Runtime: IBM Corporation 1.7.0 
>            Reporter: KoPs
>            Assignee: Christopher L. Shannon
>            Priority: Critical
>         Attachments: packet.raw
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> ActiveMQ crashes during a vulnerability scanning using Qualys vulnerability 
> scanner.
> {code}
> 2017-02-10 14:30:18,631 [0.1:55345@61616] WARN  Transport                     
>  - Transport Connection to: tcp://127.0.0.1:55345 failed: 
> java.io.IOException: Unexpected error occurred: java.lang.OutOfMemoryError: 
> Java heap space
> {code}
> This OOM error is caused due to an attempt to initialize a huge byte array of 
> 2131230728 bytes size. The problem still occurs even if we define the 
> maxFrameSize to 100MB. 
> It seems that the first comparison with the maxFrameSize is successful 
> (method unmarshal) but in the later evaluation of dataIn.readInt() in method  
> looseUnmarshalByteSequence, a huge value is evaluated (2131230728 bytes)
> {code}
> @Override
>     public Object unmarshal(DataInput dis) throws IOException {
>         DataInput dataIn = dis;
>         if (!sizePrefixDisabled) {
>             int size = dis.readInt();
>             if (size > maxFrameSize) {
>                 throw IOExceptionSupport.createFrameSizeException(size, 
> maxFrameSize);
>             }
>             // int size = dis.readInt();
>             // byte[] data = new byte[size];
>             // dis.readFully(data);
>             // bytesIn.restart(data);
>             // dataIn = bytesIn;
>         }
>         return doUnmarshal(dataIn);
>     }
> {code}
> {code}
>     protected ByteSequence looseUnmarshalByteSequence(DataInput dataIn) 
> throws IOException {
>         ByteSequence rc = null;
>         if (dataIn.readBoolean()) {
>             int size = dataIn.readInt();
>             byte[] t = new byte[size];
>             dataIn.readFully(t);
>             rc = new ByteSequence(t, 0, size);
>         }
>         return rc;
>     }
> {code}
> Relevant parts of the thread dump can be found below:
> {code}
> WARNING : OutOfMemoryError possibly caused by 2131230728 bytes requested for 
> object of class 081A5700 from memory space 'Flat' id=080B1898
> {code}
> {code}
> Thread Name
> ActiveMQ Transport: tcp:///10.4.240.10:55345@61616
> State
> Runnable
> Java Stack
> at 
> org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.looseUnmarshalByteSequence(BaseDataStreamMarshaller.java:638)
>  
> at 
> org/apache/activemq/openwire/v12/WireFormatInfoMarshaller.looseUnmarshal(WireFormatInfoMarshaller.java:132)
>  
> at 
> org/apache/activemq/openwire/OpenWireFormat.doUnmarshal(OpenWireFormat.java:367(Compiled
>  Code)) 
> at 
> org/apache/activemq/openwire/OpenWireFormat.unmarshal(OpenWireFormat.java:278(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.readCommand(TcpTransport.java:240(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.doRun(TcpTransport.java:232(Compiled
>  Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.run(TcpTransport.java:215) 
> at java/lang/Thread.run(Thread.java:863)
> {code}
> The definition of the transportConnector without the definition of the 
> maxFrameSize is the following :
> {code}
>         <transportConnectors>
>             <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
>         </transportConnectors>
> {code}
> The definition of the transportConnector after the definition of the 
> maxFrameSize  :
> {code}
>  <transportConnectors>
>       <transportConnector name="openwire" 
> uri="tcp://0.0.0.0:61616?wireFormat.maxFrameSize=104857600"/>
>     </transportConnectors>
> {code}
> We have reproduced this with versions 5.13.0, 5.13.5 and 5.14.3 but this 
> problem is probably related to other versions too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact