RFR: 8308144: HttpClient - uncontrolled memory consumption in SSLFlowDelegate.Reader

Daniel Fuchs dfuchs at openjdk.org
Fri May 26 08:53:55 UTC 2023


On Thu, 25 May 2023 20:17:39 GMT, zhurs <duke at openjdk.org> wrote:

> When using HttpClient to make requests to HTTPS resources, there is an issue where the entire file is being downloaded into memory without the ability to limit the buffer size.
> If the SSLEngine cannot decode the entire buffer due to the algorithm's blocking nature, it returns a decoded chunk of data and BUFFER_UNDERFLOW status, which leads to SSLFlowDelegate.Reader requesting more data despite the output queue being full.

>From the CI results it seems it only passes on macOS and fails consistently on all Linux or Windows flavors. But if it depends on socket buffer sizes it may actually depend on how these machines are configured by default.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14159#issuecomment-1564038114



More information about the security-dev mailing list