[jira] [Commented] (KAFKA-2878) Kafka broker throws OutOfMemory exception with invalid join group request

Mon, 23 Nov 2015 14:49:11 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15023264#comment-15023264
 ] 

ASF GitHub Bot commented on KAFKA-2878:
---------------------------------------

GitHub user rajinisivaram opened a pull request:

    https://github.com/apache/kafka/pull/577

    KAFKA-2878: Guard against OutOfMemory in Kafka broker 

    Sanity check array size in requests before allocation

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/rajinisivaram/kafka KAFKA-2878

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/577.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #577
    
----
commit 8d1a8a9d4e0444929db8218ded5949a0b827c42d
Author: Rajini Sivaram <rajinisiva...@googlemail.com>
Date:   2015-11-23T22:42:51Z

    KAFKA-2878: Guard against OutOfMemory in Kafka broker with invalid requests

----


> Kafka broker throws OutOfMemory exception with invalid join group request
> -------------------------------------------------------------------------
>
>                 Key: KAFKA-2878
>                 URL: https://issues.apache.org/jira/browse/KAFKA-2878
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 0.9.0.0
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Critical
>
> Array allocation for join group request doesn't have any checks and hence can 
> result in OutOfMemory exception in the broker. Array size from the request 
> should be validated to avoid DoS attacks on a secure installation of Kafka.
> {quote}
> at org/apache/kafka/common/protocol/types/ArrayOf.read(ArrayOf.java:44)
> at org/apache/kafka/common/protocol/types/Schema.read(Schema.java:69)
> at 
> org/apache/kafka/common/protocol/ProtoUtils.parseRequest(ProtoUtils.java:60)
> at 
> org/apache/kafka/common/requests/JoinGroupRequest.parse(JoinGroupRequest.java:144)
> at 
> org/apache/kafka/common/requests/AbstractRequest.getRequest(AbstractRequest.java:55)
>  
> at kafka/network/RequestChannel$Request.<init>(RequestChannel.scala:78)
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to