RFR 9: JEP 290: Filter Incoming Serialization Data

Peter Firmstone peter.firmstone at zeus.net.au
Tue Aug 30 02:07:55 UTC 2016

  Include original message

A quick thought on the array size filter:

The system creates an array with a size read from the stream.

If Mallory sends a multidimensional array in the stream, then Mallory can consume all jvm memory without exceeding the array size limit or the stream data limit.

We also need an array combined length limit.



Sent from my Samsung device.

More information about the core-libs-dev mailing list