New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially concurrent and memory leak #25997
Comments
We don't usually consider race conditions and internal memory leaks as security-sensitive, so feel free to raise them here directly. Of course, if you have can reproduce an externally induced memory leak leading to a potential DoS attack, it's better off as a security report. However, your report above rather sounds like feedback on an implementation pattern based on a code review... |
If by any chance you mean non-synchronized get/put operations against a |
Hi Juergen, Thanks for verbose explanation. That kind of issues are difficult to reproduce and code review is probably one of the best way to find it. So, You right my feedback based on a code review. As discussed it should be possible to get rid of double lock in similar place to Could you change status of ticket to Kindly regards, |
I think this should have been closed with #30780. |
Affects:
all up to 5.3.1-SNAPSHOT
I found some suspicious pattern of the Java code which can lead to concurrent race condition and memory leak. I confirm problematic software pattern in other software, outside of Spring. In Spring-Framework source code I found the same concurrent pattern in places e.g. CacheAspectSupport, AbstractAdvisingBeanPostProcessor, AdvisedSupport, AsyncExecutionInterceptor etc.
Also in other place of Spring-Framework source code it's correctly implemented.
Also I'd like to mention that I'm application developer not framework developer and I don't know internal Spring implementation. I known sounds unlikely. I hope I'm wrong.
I will provide more details via e-mail security@pivotal.io
Kindly regards
The text was updated successfully, but these errors were encountered: