You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
http.client.HTTPResponse.read() (without argument) consumes the amount of memory specified by the value of the Content-Lenght header in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client gets IncompleteRead error, but if Content-Lenght is too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.
Reading the whole body of the HTTP response could cause OOM if
the Content-Length value is too large even if the server does not send
a large amount of data. Now the HTTP client reads large data by chunks,
therefore the amount of consumed memory is proportional to the amount
of sent data.
http.client.HTTPResponse.read()
(without argument) consumes the amount of memory specified by the value of theContent-Lenght
header in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client getsIncompleteRead
error, but ifContent-Lenght
is too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.Linked PRs
The text was updated successfully, but these errors were encountered: