[jira] [Commented] (AMQ-6596) Out Of Memory error reported on ActiveMQ client during openwire unmarshalling

[ASF subversion and git services (Jira)]

    [ 
https://issues.apache.org/jira/browse/AMQ-6596?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17931333#comment-17931333
 ] 

ASF subversion and git services commented on AMQ-6596:
------------------------------------------------------

Commit b0205f92bae6c227f5623616bfb74a079641e9b2 in activemq's branch 
refs/heads/activemq-5.16.x from Christopher L. Shannon
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=b0205f92ba ]

AMQ-6596 - Validate size of buffers during unmarshalling

Verify that size buffers for arrays and bytesequences will not exceed
the overall frame size

(cherry picked from commit 3037ce8b3b6a1efd67d273ad0bb6590c0434fad1)

(cherry picked from commit ff6dc101695b83d507be507b380e00c866e76bf6)
(cherry picked from commit 8abfa8f59d3e1b3d255917204e6c73b0d2ec48c8)


> Out Of Memory error reported on ActiveMQ client during openwire unmarshalling
> -----------------------------------------------------------------------------
>
>                 Key: AMQ-6596
>                 URL: https://issues.apache.org/jira/browse/AMQ-6596
>             Project: ActiveMQ Classic
>          Issue Type: Bug
>          Components: Broker, JMS client, Transport
>    Affects Versions: 5.13.0, 5.13.5, 5.14.3
>         Environment: SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, 
> PATCHLEVEL = 3. Java Runtime: IBM Corporation 1.7.0 
>            Reporter: KoPs
>            Assignee: Christopher L. Shannon
>            Priority: Critical
>             Fix For: 6.2.0, 5.19.0, 6.1.6
>
>         Attachments: packet.raw
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> ActiveMQ crashes during a vulnerability scanning using Qualys vulnerability 
> scanner.
> {code}
> 2017-02-10 14:30:18,631 [0.1:55345@61616] WARN  Transport                     
>  - Transport Connection to: tcp://127.0.0.1:55345 failed: 
> java.io.IOException: Unexpected error occurred: java.lang.OutOfMemoryError: 
> Java heap space
> {code}
> This OOM error is caused due to an attempt to initialize a huge byte array of 
> 2131230728 bytes size. The problem still occurs even if we define the 
> maxFrameSize to 100MB. 
> It seems that the first comparison with the maxFrameSize is successful 
> (method unmarshal) but in the later evaluation of dataIn.readInt() in method  
> looseUnmarshalByteSequence, a huge value is evaluated (2131230728 bytes)
> {code}
> @Override
>     public Object unmarshal(DataInput dis) throws IOException {
>         DataInput dataIn = dis;
>         if (!sizePrefixDisabled) {
>             int size = dis.readInt();
>             if (size > maxFrameSize) {
>                 throw IOExceptionSupport.createFrameSizeException(size, 
> maxFrameSize);
>             }
>             // int size = dis.readInt();
>             // byte[] data = new byte[size];
>             // dis.readFully(data);
>             // bytesIn.restart(data);
>             // dataIn = bytesIn;
>         }
>         return doUnmarshal(dataIn);
>     }
> {code}
> {code}
>     protected ByteSequence looseUnmarshalByteSequence(DataInput dataIn) 
> throws IOException {
>         ByteSequence rc = null;
>         if (dataIn.readBoolean()) {
>             int size = dataIn.readInt();
>             byte[] t = new byte[size];
>             dataIn.readFully(t);
>             rc = new ByteSequence(t, 0, size);
>         }
>         return rc;
>     }
> {code}
> Relevant parts of the thread dump can be found below:
> {code}
> WARNING : OutOfMemoryError possibly caused by 2131230728 bytes requested for 
> object of class 081A5700 from memory space 'Flat' id=080B1898
> {code}
> {code}
> Thread Name
> ActiveMQ Transport: tcp:///10.4.240.10:55345@61616
> State
> Runnable
> Java Stack
> at 
> org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.looseUnmarshalByteSequence(BaseDataStreamMarshaller.java:638)
>  
> at 
> org/apache/activemq/openwire/v12/WireFormatInfoMarshaller.looseUnmarshal(WireFormatInfoMarshaller.java:132)
>  
> at 
> org/apache/activemq/openwire/OpenWireFormat.doUnmarshal(OpenWireFormat.java:367(Compiled
>  Code)) 
> at 
> org/apache/activemq/openwire/OpenWireFormat.unmarshal(OpenWireFormat.java:278(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.readCommand(TcpTransport.java:240(Compiled
>  Code)) 
> at 
> org/apache/activemq/transport/tcp/TcpTransport.doRun(TcpTransport.java:232(Compiled
>  Code)) 
> at org/apache/activemq/transport/tcp/TcpTransport.run(TcpTransport.java:215) 
> at java/lang/Thread.run(Thread.java:863)
> {code}
> The definition of the transportConnector without the definition of the 
> maxFrameSize is the following :
> {code}
>         <transportConnectors>
>             <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
>         </transportConnectors>
> {code}
> The definition of the transportConnector after the definition of the 
> maxFrameSize  :
> {code}
>  <transportConnectors>
>       <transportConnector name="openwire" 
> uri="tcp://0.0.0.0:61616?wireFormat.maxFrameSize=104857600"/>
>     </transportConnectors>
> {code}
> We have reproduced this with versions 5.13.0, 5.13.5 and 5.14.3 but this 
> problem is probably related to other versions too.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@activemq.apache.org
For additional commands, e-mail: issues-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact