Allocation of Resources Without Limits or Throttling

Summary

Netty is a network application framework for development of protocol servers and clients. In netty-handler versions through 4.1.134.Final, 4.2.x through 4.2.14.Final and 5.x through 5.0.0.Alpha2, 'SslClientHelloHandler.decode()' reads the 24-bit TLS handshake length and, when the 'ClientHello' does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used 'SniHandler'/'AbstractSniHandler' constructors ('SniHandler(Mapping)', 'SniHandler(AsyncMapping)', 'AbstractSniHandler()') pass 'maxClientHelloLength=0' and 'handshakeTimeoutMillis=0', so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue.