NIOHTTP1 yields HTTP body parts as instances of ByteBuffer
. is there a maximum size for these buffers, and if so, how can it be configured?
is it possible to DoS an NIO channel by sending it HTTP requests with very long bodies?
NIOHTTP1 yields HTTP body parts as instances of ByteBuffer
. is there a maximum size for these buffers, and if so, how can it be configured?
is it possible to DoS an NIO channel by sending it HTTP requests with very long bodies?
There is no maximum size for these elements. However, it is not possible to DoS a NIO Channel in this way because HTTPDecoder
never buffers body elements. The ByteBuffer
s that are passed through the Channel are either the buffers that were directly read from the network (for non-chunked payloads) or sliced out chunk segments (which are necessarily smaller than the read buffers, as the data is excluded).
However, DoS risk is possible if a user ChannelHandler
performs body aggregation to flatten this stream of ByteBuffer
s down to a single ByteBuffer
. NIO's NIOHTTPServerRequestAggregator
is an example. Note that this has a maxContentLength
parameter that is used to prevent DoS: any user implementation of this concept should do the same thing.
(As a sidebar, there is an effective maximum size of these ByteBuffer
s, which is the maximum size of a single read from the lower level transport. In HTTP/1 this will usually be either the size of the socket receive buffer (for plaintext) or the maximum size of a TLS record (for TLS). In HTTP/2, the maximum frame size is also a limit.)
thanks for the heads up this was exactly what i was doing