RFR: 8308144: HttpClient - uncontrolled memory consumption in SSLFlowDelegate.Reader

Paolo Di Tommaso duke at openjdk.org
Sat Nov 11 09:45:16 UTC 2023


On Thu, 25 May 2023 20:17:39 GMT, zhurs <duke at openjdk.org> wrote:

> When using HttpClient to make requests to HTTPS resources, there is an issue where the entire file is being downloaded into memory without the ability to limit the buffer size.
> If the SSLEngine cannot decode the entire buffer due to the algorithm's blocking nature, it returns a decoded chunk of data and BUFFER_UNDERFLOW status, which leads to SSLFlowDelegate.Reader requesting more data despite the output queue being full.

Thanks a lot! Very appreciated.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/14159#issuecomment-1806766442


More information about the security-dev mailing list