Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2336

CVE-2024-1635 At Http upgrade to remoting, WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener

XMLWordPrintable

    When the remoting server receives the EOF and closes the connection (see here) during an http upgrade operation, the WriteTimeoutStreamSinkConduit channel will be unaware the connection was closed and its timeout expiration handle will be kept active for a while and associated with the WorkerThread. As a result, the whole tree of channels for that connection will not be garbage collected until that task is executed, causing a temporary memory leak.
    This bug was uncovered as part of the investigation for WFLY-18700 and it is related to the stack trace shown in XNIO-427.

          ropalka Richard Opalka
          flaviarnn Flavia Rainone
          Alessio Soldano, Bartosz Baranowski, Brad Maxwell, Darran Lofthouse, Flavia Rainone, Ingo Weiss, Jan Kašík, Jason Lee, Lin Gao, Masafumi Miura, Paul Ferraro, Radoslav Husar, Richard Achmatowicz, Richard Opalka, Stefano Maestri, Tomas Hofman, Tom Jenkinson, Tommaso Bagassi
          Votes:
          0 Vote for this issue
          Watchers:
          3 Start watching this issue

            Created:
            Updated:
            Resolved: