activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Bish (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMQ-5777) Implement and test maxFrameSize for STOMP
Date Fri, 15 May 2015 20:28:00 GMT

    [ https://issues.apache.org/jira/browse/AMQ-5777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14546129#comment-14546129
] 

Timothy Bish commented on AMQ-5777:
-----------------------------------

Keep in mind the STOMP frames are unmarshaled in two different places depending on the protocol.
 For TCP and SSL the unmarshal is done in the StompWireFormat and for NIO and NIO+SSL it is
done in StompCodec.  Having just looked briefly it looks as though the maxDataLength gets
treated differently depending on whether content-length is set in the message headers which
seems wrong to me, the data length seems to have been intended to only apply against the actual
message body, but if no content-length it looks like it might get applied against the entire
frame size (would need a longer look to confirm that).  

I think your work should probably resolve the above and use maxFrameSize as a consistent control
on the bytes being read in during the unmarshal in either location and maxDataLength should
be applied as a consistent control on only the maximum length of the message body.  

> Implement and test maxFrameSize for STOMP
> -----------------------------------------
>
>                 Key: AMQ-5777
>                 URL: https://issues.apache.org/jira/browse/AMQ-5777
>             Project: ActiveMQ
>          Issue Type: Sub-task
>          Components: Broker
>    Affects Versions: 5.11.1
>            Reporter: Christopher L. Shannon
>
> Implement and test {{maxFameSize}} for STOMP to help prevent DOS attacks.  Testing should
include TCP, SSL, NIO and NIO+SSL, etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message