2

I have a Spring Boot backend and I have just solved "ERR_CONNECTION_RESET", when uploading a file from Angular frontend, by configuring maxSwallowSize Tomcat property. I'm trying to understand what it does exactly. Tomcat documentation is not obvious to me:

The maximum number of request body bytes (excluding transfer encoding overhead) that will be swallowed by Tomcat for an aborted upload. An aborted upload is when Tomcat knows that the request body is going to be ignored but the client still sends it. If Tomcat does not swallow the body the client is unlikely to see the response. If not specified the default of 2097152 (2 megabytes) will be used. A value of less than zero indicates that no limit should be enforced.

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

Can I get some help?

Héctor
  • 24,444
  • 35
  • 132
  • 243

1 Answers1

4

If your servlet's service() method exits (normally or exceptionally) without consuming the whole client's request body, Tomcat will still accept maxSwallowSize bytes before resetting the connection. This is required since most browsers read the server's response only after they sent the entire request (cf. this question).

To consume the requests body you need to:

  • if the request is encoded as application/x-www-form-urlencoded, you need to call one of the getParameter* methods,
  • if the request is encoded as multipart/form-data, you need to call one of the getPart* methods,
  • in all other cases you need to read the entire InputStream.

An unconsumed request body is usually caused by errors, including those in the parsing of parameters or form parts.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Doesn't this open up a denial of service attack vector? – TheRealChx101 Apr 15 '23 at 17:58
  • 1
    Swallowed data is very effectively discarded, so the attacker would have to fill the whole bandwidth of the server. I don't believe this qualifies as DoS vulnerability, but you should ask this on the Tomcat mailing list. – Piotr P. Karwasz Apr 15 '23 at 19:13
  • Effectively it could turn into a DOS if the server is spawning threads to handle 1TB file uploads since you'd have configured the server to allow unlimited "swallow" data. Even better, if you lowered the latency enough to just cause the handler threads not to time out, effectively and quickly increasing the pool of lingering threads. – TheRealChx101 Apr 15 '23 at 21:59