RFR 9: JEP 290: Filter Incoming Serialization Data
Roger Riggs
roger.riggs at Oracle.com
Wed Aug 31 14:14:38 UTC 2016
Hi Peter,
Since the filter is passed information about each object created, a
stateful filter can tabulate
the cumulative size itself if that is a concern.
Also, a stateless filter can be constructed to check a combination of
the total number of objects,
depth, array sizes, and stream size. Since arrays are initialized with
data from the stream,
the stream size provides a practical limit.
Roger
On 8/29/16 10:07 PM, Peter Firmstone wrote:
> Include original message
>
> A quick thought on the array size filter:
>
> The system creates an array with a size read from the stream.
>
> If Mallory sends a multidimensional array in the stream, then Mallory can consume all jvm memory without exceeding the array size limit or the stream data limit.
>
> We also need an array combined length limit.
>
> Thanks,
>
> Peter.
>
> Sent from my Samsung device.
>
More information about the core-libs-dev
mailing list