MemoryStream.CopyToAsync ignores buffer size which can cause BufferedStream to throw OverflowException

[mconnew]

Description

If MemoryStream is holding around 1GB of data, calling MemoryStream.CopyToAsync attempts to write the entire buffered data in a single write to the destination stream. If the buffer passed to BufferedStream.WriteAsync would overflow its internal buffer, it calls BufferedStream.WriteToUnderlyingStreamAsync. This method has the following bounds check:

    int totalUserBytes;
    bool useBuffer;
    checked
    {
        // We do not expect buffer sizes big enough for an overflow, but if it happens, lets fail early:
        totalUserBytes = _writePos + buffer.Length;
        useBuffer = (totalUserBytes + buffer.Length < (_bufferSize + _bufferSize));
    }

The left side of the less than comparison ends up being _writePos + (2 * buffer.Length). If buffer.Length is close to (depending on the current _writePos value) or larger than 1GB, the value will overflow an int32.
This happens because MemoryStream.CopyToAsync(Stream destination, int bufferSize, CancellationToken cancellationToken) has the following code:

  // If destination is not a memory stream, write there asynchronously:
  if (!(destination is MemoryStream memStrDest))
      return destination.WriteAsync(_buffer, pos, n, cancellationToken);

This results in MemoryStream not writing its contents to the destination stream in chunks that are bufferSize big.

Another scenario where this might cause problems is when the destination stream doesn't override WriteAsync, instead depending on the default Stream.WriteAsync which wraps the BeginWrite/EndWrite methods in a Task. The default wrapper checks the state of the cancellationToken before calling BeginWrite/EndWrite. By calling destination.WriteAsync on the entire buffer instead of breaking it up like the semantics of CopyToAsync require, any amount of data stored in a MemoryStream would only check the cancellationToken at initial call. One example of this is HttpResponseStream which doesn't override WriteAsync. If for example I had a more modest 5MB of data to write as a response, the cancellationToken would only get checked on first calling WriteAsync. If the request is sending very slowly, it would complete the entire send of the response body regardless of how much time it took, ignoring the cancellationToken. If MemoryStream.CopyToAsync honored the bufferSize, then a slow send would have a chance between each buffer being sent to check the cancellationToken.

Reproduction Steps

byte[] dummyData = new byte[1024 * 1024 * 511 * 3]; // 512MB
using var stream = new MemoryStream(dummyData);

var destStream = new MemoryStream(dummyData.Length);
var bufferedStream = new BufferedStream(destStream, 65536);
await stream.CopyToAsync(bufferedStream, 65536);

Expected behavior

For the MemoryStream to successfully write to the BufferedStream.

Actual behavior

This results in a System.OverflowException being thrown.

Regression?

Based on examining code, this looks to have existed all the way back to .NET Framework.

Known Workarounds

Create your own class derived from MemoryStream to use in its place. The type check in MemoryStream.CopyToAsync is written such that it avoids the "fast path" in the code and does the correct thing.

    public class FixedMemoryStream : MemoryStream
    {
        public FixedMemoryStream(byte[] buffer) : base(buffer) { }
        public FixedMemoryStream(byte[] buffer, int index, int count) : base(buffer, index, count) { }
        public FixedMemoryStream(int capacity) : base(capacity) { }
        public FixedMemoryStream() : base() { }
    }

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-io
See info in area-owners.md if you want to be subscribed.

[mayorovp]

1Gb MemoryStream is a bad idea anyway due to memory fragmentation issues.
Consider using of unlimited pipe instead.

[mconnew]

I did also explain how even a smaller allocation in a MemoryStream would cause problems with writing to an HttpResponseStream preventing the enforcement of a CancellationToken being cancelled. That's a scenario that didn't directly cause me a problem like the large MemoryStream problem with a BufferedStream, but is still negatively affected by this bug.

I understand large MemoryStream instances aren't ideal, but you aren't always going to have fragmentation issues. You only get memory fragmentation issues if you aren't pooling your buffers and you allow MemoryStream to allocate and grow its own arrays. If you allocate the byte[] in a pool and wrap in a MemoryStream, no fragmentation issues.

This came up when finding a solution for a customer problem using mtom. There's an interface called IStreamProvider which enables efficient data transfer with mtom (avoids base64 encoding byte arrays). The customer has byte[] in their service contract, which the mtom writer stores to send at the end. The mtom writer it limited to storing 2GB of byte[] data (across multiple byte[] instances). The solution is to wrap their byte[] instances as Stream instances and expose via IStreamProvider, that way the mtom writer doesn't add up the lengths of them all.

Unfortunately IStreamProvider is for streams and not pipes so can't use unlimited pipes. Also unlimited pipes don't solve the problem of copying a MemoryStream to an HttpResponseStream.

[dmitry-azaraev]

In my opinion due to complexity of Stream impl and async-over-sync cases it is easier to have own external CopyToAsync implementation which will fit you needs.

You can get underlying buffer via GetBuffer in MemoryStream and chunk & write it, as you need without loosing performance. Or without buffer magic and simpler read/write loop.

BTW: on asp.net side i guess you not need in buffered response, because you already buffer it memory. So probably you can simply disable buffering and problem might be solved too.

Upd:

I did also explain how even a smaller allocation in a MemoryStream would cause problems with writing to an HttpResponseStream preventing the enforcement of a CancellationToken being cancelled. That's a scenario that didn't directly cause me a problem like the large MemoryStream problem with a BufferedStream, but is still negatively affected by this bug.

Something similar probably happens with .NET SDK/NuGet restoring big package on slow connection, but cancellation simply not work without hard termination. Additionally genuine decision to not indicate transfer rates and totals, and by default if package did not download in given timeout - will restart download automatically again, which means what it will never be downloaded, while consuming bandwidth as much as it can. :)

[mconnew]

@dmitry-azaraev, the specific problem where this reared its head was in the mtom xml writer where it gets the Stream from an IStreamProvider. Having to add logic to specifically handle MemoryStream goes against the reason for having a base Stream class with a virtual CopyToAsync method declared. Consumers of the method shouldn't have to care about the concrete type of the Stream.

ASP.NET Core won't always be buffering the response, and in this specific usage scenario, that wouldn't be appropriate. If you are sending a SOAP request (or in the case of asp.net core, a response), you would use MTOM when you have very large binary payloads. You don't want to buffer the entire payload in that scenario. A BufferedStream doesn't buffer the entire payload, it's there to prevent repeated sending small packets of data along the entire call path to the IO stream. So for example, when writing an XML SOAP message, the XmlWriter can write individual characters such as < to start an element and you don't have the entire overhead of asynchronously writing a single character. Once enough data has been accumulated, it then flushes the buffer. It's a single mtom xml writer that writes the XML SOAP message as well as when the final closing element in the SOAP message has been written, it then writes the stored IStreamProvider payloads to the same stream. Abstractly it's just an XmlDictionaryWriter that's being used up the call stack, so there's no ability to wrap the SOAP xml part with a BufferedStream, and then drop the buffering for the large byte payloads. If we removed the BufferedStream, then we would get terrible performance on the individual writes of the XML part of the message. CoreWCF turns of buffering the entire response body when used in streamed mode, so we can't rely on ASP.NET Core's buffering as we've turned it off. Regardless, while all true and an overall concern, this is irrelevant for the case this was discovered as it was the WCF Client using HttpClientHandler. We provide a custom HttpContent implementation which writes directly to the request stream, so we wrap it in a BufferedStream for all the same reasons as I do in CoreWCF.

[mconnew]

There's a contract with the CopyToAsync method where you pass the buffer size which is supposed to copy the data in chunks of that size. I can see an argument for having the MemoryStream.CopyToAsync overload where you don't specify a buffer size doing this optimization, and admittedly the mtom xml writer doesn't specify the buffer size and just uses this default. I'd be fine with making a change to the mtom xml writer to use the overload to explicitly specify the buffer size if the solution was to keep the optimization when not specifying it, as technically not specifying a buffer size means it's free to use any size it wants, up to and including the entire MamoryStream contents.
Implementing this might be tricky as only the overload which accepts the buffer size is virtual. The rest of the overloads are non-virtual defined on Stream itself. It uses an unusual default buffer size to avoid allocating in the LOH, a size nobody would realistically explicitly pass themselves. So you could make the decision based on the buffer size being this magic number. I don't like magic numbers in code, but in this case it seems reasonable.