OutOfMemoryException when parsing Form POST #12940
Description
Jetty version(s)
12.0.14+
Jetty Environment
ee10
Java version/vendor (use: java -version)
17
OS type/version
Tested on Amazon Linux and MacOS
Description
We are seeing OutOfMemoryExceptions in Jetty when a large Form POST is made against our web app. We are finding that the org.eclipse.jetty.server.Request.maxFormContentSize parameter is not stopping this from happening in our case.
This is specifically happening when the POST body contains a very large value for a key. In our case the value of one of our form parameters was a JSON object and if this gets excessively large the JVM will run out of memory rather than stop processing the form once the maxFormContentSize is reached. If the value is above maxFormContentSize but within the available memory we see the correct error logged (that the form is too big).
Here is the stack trace when this condition is triggered:
The issue seems to happen here:
It would seem like maybe the complete value is read in before the checkMaxLength() method is called and therefore if the value is very large it will consume all available memory in the heap.
We upgraded from 9.x a few months ago and although we have not been able to validate this we had not seen cases like this on our old setup.
How to reproduce?
We've written a sample server and client to reproduce the problem on 12.0.18 attached. The server is a simple web app with a maxFormContentSize of 1000 bytes while the Client tries to send a 700Mb variable in the form which makes the server throw an OutOfMemoryException.