Skip to content

Auto-port 5.0: Add maxFrameLength support to ProtobufVarint32FrameDecoder#16659

Merged
chrisvest merged 2 commits into
5.0from
auto-port-pr-16633-to-5.0
Apr 18, 2026
Merged

Auto-port 5.0: Add maxFrameLength support to ProtobufVarint32FrameDecoder#16659
chrisvest merged 2 commits into
5.0from
auto-port-pr-16633-to-5.0

Conversation

@netty-project-bot

@netty-project-bot netty-project-bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Auto-port of #16633 to 5.0
Cherry-picked commit: 6ab2d86

Motivation

ProtobufVarint32FrameDecoder has no protection against oversized frames. A malicious client can send a large varint length value and cause the server to allocate excessive memory.

Modification

  • Add maxFrameLength constructor parameter
  • When a frame exceeds maxFrameLength, skip the frame bytes and throw TooLongFrameException
  • Default constructor remains backward-compatible (maxFrameLength = Integer.MAX_VALUE)

Result

Oversized protobuf frames are now rejected with TooLongFrameException instead of causing unbounded memory allocation.

@fru1tworld @normanmaurer @netty-project-bot
Add maxFrameLength support to ProtobufVarint32FrameDecoder (#16633)
70f96cc 
## Motivation

`ProtobufVarint32FrameDecoder` has no protection against oversized
frames. A malicious client can send a large varint length value and
cause the server to allocate excessive memory.

## Modification

- Add `maxFrameLength` constructor parameter
- When a frame exceeds `maxFrameLength`, skip the frame bytes and throw
`TooLongFrameException`
- Default constructor remains backward-compatible (`maxFrameLength =
Integer.MAX_VALUE`)

## Result

Oversized protobuf frames are now rejected with `TooLongFrameException`
instead of causing unbounded memory allocation.

---------

Co-authored-by: Norman Maurer <norman_maurer@apple.com>
(cherry picked from commit 6ab2d86)
@netty-project-bot netty-project-bot mentioned this pull request Apr 16, 2026
Merged
@netty-project-bot netty-project-bot deleted the auto-port-pr-16633-to-5.0 branch April 16, 2026 23:50
@normanmaurer normanmaurer restored the auto-port-pr-16633-to-5.0 branch April 16, 2026 23:54
@normanmaurer normanmaurer reopened this Apr 16, 2026
@chrisvest chrisvest added this to the 5.0.0.Final milestone Apr 17, 2026
@chrisvest chrisvest enabled auto-merge (squash) April 17, 2026 23:27
@chrisvest chrisvest merged commit 392ecb9 into 5.0 Apr 18, 2026
21 of 23 checks passed
@chrisvest chrisvest deleted the auto-port-pr-16633-to-5.0 branch April 18, 2026 00:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

5.0.0.Final

Development

Successfully merging this pull request may close these issues.

4 participants

@netty-project-bot @chrisvest @normanmaurer @fru1tworld