WCF readerQuotas settings - drawbacks?

If a WCF service returns a byte array in its response message, there's a chance the data will exceed the default length of 16384 bytes. When this happens, the exception will be something like

The maximum array length quota (16384) has been exceeded while reading XML data. This quota may be increased by changing the MaxArrayLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader.

All the advice I've seen on the web is just to increase the settings in the <readerQuotas> element to their maximum, so something like

<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647"
              maxNameTableCharCount="2147483647" />

on the server, and similar on the client.

I would like to know of any drawbacks with this approach, particularly if the size of the byte array may only occassionally get very large. Do the settings above just make WCF declare a huge array for each request? Do you have to limit the maximum size of the data returned, or can you just specify a reasonably-sized buffer and get WCF to keep going until all the data is read?



The main drawback is a potential vulnerability to attacks - e.g. a malicious source can now flood your webserver with message up to 2 GB in size and potentially bring it down.

Of course, allowing 2 GB messages also puts some strain on your server in terms of memory consumption, since those messages need to be assembled in memory, in full (unless you use streaming protocols in WCF). If you have 10 clients sending you 2 GB messages, you'll need plenty of RAM on your server! :-)

Other than that, I don't see any real issues.


There is an article on MSDN which explains the various security considerations you need to think about when setting these values. Some denial-of-service attacks are those which eat up your memory and some of them (such as MaxDepth not being set properly) could cause fatal StackOverflowExceptions which could bring down your server in a single request.


Need Your Help

Remove Microsoft Edge's phone number styling

html css microsoft-edge

I noticed that the new Microsoft Edge browser overrides my styles when it detects phone numbers:

Why getDrawable() doesn't work on some Android devices?

android android-drawable

I am getting "nosuchmethod error" on some user's phones (eg. Motorola Razr i) but it works fine on my HTC. Below is the code.