RFR: 8308144: HttpClient - uncontrolled memory consumption in SSLFlowDelegate.Reader
Daniel Fuchs
dfuchs at openjdk.org
Fri May 26 08:34:01 UTC 2023
On Thu, 25 May 2023 20:17:39 GMT, zhurs <duke at openjdk.org> wrote:
> When using HttpClient to make requests to HTTPS resources, there is an issue where the entire file is being downloaded into memory without the ability to limit the buffer size.
> If the SSLEngine cannot decode the entire buffer due to the algorithm's blocking nature, it returns a decoded chunk of data and BUFFER_UNDERFLOW status, which leads to SSLFlowDelegate.Reader requesting more data despite the output queue being full.
See https://docs.oracle.com/en/java/javase/20/docs/api/java.net.http/module-summary.html
- jdk.httpclient.receiveBufferSize (default: operating system default): The HTTP client[ socket receive buffer size](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/net/StandardSocketOptions.html#SO_RCVBUF) in bytes.
- jdk.httpclient.sendBufferSize (default: operating system default): The HTTP client socket [send buffer size](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/net/StandardSocketOptions.html#SO_SNDBUF). Values less than or equal to zero are ignored.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14159#issuecomment-1564011270
More information about the security-dev
mailing list