Maximum size of HTTP server request part?

NIOHTTP1 yields HTTP body parts as instances of ByteBuffer. is there a maximum size for these buffers, and if so, how can it be configured?

is it possible to DoS an NIO channel by sending it HTTP requests with very long bodies?

There is no maximum size for these elements. However, it is not possible to DoS a NIO Channel in this way because HTTPDecoder never buffers body elements. The ByteBuffers that are passed through the Channel are either the buffers that were directly read from the network (for non-chunked payloads) or sliced out chunk segments (which are necessarily smaller than the read buffers, as the data is excluded).

However, DoS risk is possible if a user ChannelHandler performs body aggregation to flatten this stream of ByteBuffers down to a single ByteBuffer. NIO's NIOHTTPServerRequestAggregator is an example. Note that this has a maxContentLength parameter that is used to prevent DoS: any user implementation of this concept should do the same thing.

(As a sidebar, there is an effective maximum size of these ByteBuffers, which is the maximum size of a single read from the lower level transport. In HTTP/1 this will usually be either the size of the socket receive buffer (for plaintext) or the maximum size of a TLS record (for TLS). In HTTP/2, the maximum frame size is also a limit.)

3 Likes

thanks for the heads up this was exactly what i was doing :grimacing: