Headline
CVE-2020-11612: Compression/Decompression Codecs should enforce memory allocation size limits · Issue #6168 · netty/netty
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Expected behavior
To protect against OOME the compression and decompression codecs should explicitly limit the amount of data they compress and decompress. We may be vulnerable to OOME from large or malicious input.
Actual behavior
In light of #5997 most of the compression/decompression codecs don’t enforce limits on buffer allocation sizes.
Steps to reproduce
N/A
Minimal yet complete reproducer code (or URL to code)
N/A
Netty version
4.1.7-SNAPSHOT
JVM version (e.g. java -version
)
N/A
OS version (e.g. uname -a
)
N/A