Port Scanning on jeromq based application (OutOfMemoryError)

Hi Guys,

We are facing a critical issue while a port scanning application is running against our jeromq based application, version 0.3.4.

It seems like an issue in zmq.V1Decoder, it collects the traffic of the port scanning application, and then failed while initializing the Msg object due to the message size.

Please see below the exception stack trace: java.lang.OutOfMemoryError: Java heap space Exception in thread “iothread-2” java.lang.OutOfMemoryError: Java heap space at zmq.Msg.<init>(Msg.java:64) at zmq.V1Decoder.eight_byte_size_ready(V1Decoder.java:104) at zmq.V1Decoder.next(V1Decoder.java:45) at zmq.DecoderBase.process_buffer(DecoderBase.java:124) at zmq.StreamEngine.in_event(StreamEngine.java:307) at zmq.StreamEngine.plug(StreamEngine.java:240) at zmq.SessionBase.process_attach(SessionBase.java:355) at zmq.ZObject.process_command(ZObject.java:80) at zmq.IOThread.in_event(IOThread.java:90)

After investigation of the heapdump, we noticed that in eight_byte_size_ready() the msg_size is a negative big number.

byte[] tmpbuf = new byte[] { -5, 24, -1, -5, 31, -1, -5, 32 };
final long msg_size = -353251116709840096;

The comparison in the V1Decoder eight_byte_size_ready function doesn’t help as it looks like it’s not expect to have a negative number.

if (maxmsgsize >= 0)
..
 if (msg_size > Integer.MAX_VALUE) {
..

We thought that the PLAIN authentication feature in 0.4.0 may help us to solve this problem, but we don’t find any documentation or examples of how to use it in jeromq…

Can you please help ? Any comment is really appreciated!

Thanks a lot! Kobi.