RFR: 8308144: HttpClient - uncontrolled memory consumption in SSLFlowDelegate.Reader
Jaikiran Pai
jpai at openjdk.org
Sat Nov 11 09:21:12 UTC 2023
On Sat, 11 Nov 2023 08:28:14 GMT, Paolo Di Tommaso <duke at openjdk.org> wrote:
>> When using HttpClient to make requests to HTTPS resources, there is an issue where the entire file is being downloaded into memory without the ability to limit the buffer size.
>> If the SSLEngine cannot decode the entire buffer due to the algorithm's blocking nature, it returns a decoded chunk of data and BUFFER_UNDERFLOW status, which leads to SSLFlowDelegate.Reader requesting more data despite the output queue being full.
>
> It turns out this is a serious issue in the Java HttpClient. Any chance to re-open this?
Hello @pditommaso, I've the necessary test changes ready and I will be opening a PR this coming week.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14159#issuecomment-1806760629
More information about the security-dev
mailing list