Add support for maxInflateDataSize to limit uncompressed buffers#2139
Open
cshannon wants to merge 1 commit into
Open
Add support for maxInflateDataSize to limit uncompressed buffers#2139cshannon wants to merge 1 commit into
cshannon wants to merge 1 commit into
Conversation
This change adds support for limiting the maximum inflation size of a message body when a message needs to be decompressed. This new setting will help prevent OOM errors from large buffers being allocated. The primary concern this is addressing is that compressed messages may be smaller than maxFrameSize and the broker will accept them, but if an event triggers a decompression a huge buffer could be created and cause OOM. The broker will have a new maxInflateDataSize config that is broker wide because te value isn't tied to a protocol and it will default to 100 MB. Clients are tied to a transport, so it makes more sense to make it as a ratio of maxFrameSize. The default is 10x maxFrameSize if configured which should be enough of a buffer under normal circumstances. The ratio can be changed using maxInflatedDataSizeRatio on a connection.
cshannon
changed the title
mattrpav
approved these changes
Jun 23, 2026
mattrpav
left a comment
mattrpav
left a comment
Contributor
There was a problem hiding this comment.
LGTM, pending tests completion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds support for limiting the maximum inflation size of a message body when a message needs to be decompressed. This new setting will help prevent OOM errors from large buffers being allocated.
The primary concern this is addressing is that compressed messages may be smaller than maxFrameSize and the broker will accept them, but if an event triggers a decompression a huge buffer could be created and cause OOM.
Most of the time the broker can avoid decompression but sometimes it is necessary. A message will need to be decompressed primarily when consumers come online for other other protocols (such as stomp or amqp) because the message needs to be converted. Other more rare instances include xpath selectors or custom plugins.
The broker will have a new
maxInflateDataSizeconfig that is broker wide because the value isn't tied to a protocol and it will default to 100 MB. The default XML shipped with the broker for maxFrameSize is set to 10MB so this makes sense as it is 10x which will match the client default. Because clients are tied to a transport, it makes more sense to configure maxInflatedDataSize as a ratio of maxFrameSize. The default is 10x maxFrameSize if configured which should be enough of a buffer under normal circumstances. The ratio can be changed usingmaxInflatedDataSizeRatioon a connection.The validation of maxInflatedDataSize is handled by checking the buffer size before allocation if known, or by taking advantage of FrameSizeLimitedFilterInputStream and wrapping InflaterInputStream using maxInflateDataSize as the limit so an exception will be thrown if the size is too large. Errors thrown will be handled by the same improved error handling added in #2136 so that messages can be removed and sent to the DLQ if they can't be dispatched.