[jboss-jira] [JBoss JIRA] Commented: (JBREM-666) Broken or malicious clients can lock up the remoting server

Tom Elrod (JIRA) jira-events at jboss.com
Fri Jan 19 00:17:52 EST 2007 

    [ http://jira.jboss.com/jira/browse/JBREM-666?page=comments#action_12351160 ] 
            
Tom  Elrod commented on JBREM-666:
----------------------------------

[Just a comment for release documentation]

While this problem remains in earlier versions of remoting, can partially work around this by increasing the number of accept threads (config property numAcceptThreads).  The default number of accept threads is 1, so only takes one broken client to cause remoting socket server to stop accepting new incoming requests (even if many server worker threads to process the request).  

> Broken or malicious clients can lock up the remoting server
> -----------------------------------------------------------
>
>                 Key: JBREM-666
>                 URL: http://jira.jboss.com/jira/browse/JBREM-666
>             Project: JBoss Remoting
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.2.0.Alpha3 (Bluto)
>            Reporter: Ovidiu Feodorov
>         Assigned To: Ovidiu Feodorov
>            Priority: Critical
>             Fix For: 2.2.0.Alpha5
>
>
> Due to the way the main socket accept loop is coded, there is an interval during which the main acceptor thread ("SocketServerInvoker#0-4457" in the log below) interacts with the new connection's input and output streams, before handing the connection over to a worker thread from the pool. During this period, the main acceptor thread is vulnerable to lock-ups, caused by either a broken or malicious client.
> Log from a production environment:
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.transport.socket.SocketServerInvoker] @SocketServerInvoker#0-4457 Socket is going to be accepted
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.transport.socket.SocketServerInvoker] @SocketServerInvoker#0-4457 Accepted: Socket[addr=/10.1.13.73,port=16999,localport=4457]
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.transport.socket.SocketServerInvoker] @SocketServerInvoker#0-4457 try to get a thread for processing
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.transport.socket.SocketServerInvoker] @SocketServerInvoker#0-4457 Got thread for processing - Thread[SocketServerInvokerThread-10.1.122.40-0,5,jboss]
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.transport.socket.SocketServerInvoker] @SocketServerInvoker#0-4457 Reusing thread t=Thread[SocketServerInvokerThread-10.1.122.40-0,5,jboss]
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.serialization.impl.jboss.JBossSerializationManager] @SocketServerInvoker#0-4457 Creating JBossObjectOutputStream
> 2007-01-08 16:13:31,473 624292 TRACE [org.jboss.remoting.serialization.impl.jboss.JBossSerializationManager] @SocketServerInvoker#0-4457 Creating JBossObjectInputStream
> 16:13:31,473 is the last time main acceptor thread is heard from (the logged interval ends at 16:22:34 with the server shutdown).

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list