Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2336

CVE-2024-1635 At Http upgrade to remoting, WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener

XMLWordPrintable

    When the remoting server receives the EOF and closes the connection (see here) during an http upgrade operation, the WriteTimeoutStreamSinkConduit channel will be unaware the connection was closed and its timeout expiration handle will be kept active for a while and associated with the WorkerThread. As a result, the whole tree of channels for that connection will not be garbage collected until that task is executed, causing a temporary memory leak.
    This bug was uncovered as part of the investigation for WFLY-18700 and it is related to the stack trace shown in XNIO-427.

            ropalka Richard Opalka
            flaviarnn Flavia Rainone
            Alessio Soldano, Bartosz Baranowski, Brad Maxwell, Darran Lofthouse, Flavia Rainone, Ingo Weiss, Jan Kašík, Jason Lee, Lin Gao, Masafumi Miura, Paul Ferraro, Radoslav Husar, Richard Achmatowicz, Richard Opalka, Stefano Maestri, Tomas Hofman, Tom Jenkinson, Tommaso Bagassi
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: