On 22/11/2021 15:36, Christopher Schultz wrote:
Mark,
Apologies for top-posting but this might get lost in the code below.
No problem.
This patch appears to:
1. Get the address from the just-accepted socket
2. Compare the address to the most-recently-accepted socket address (see
#3)
2a. Throw an error if the current and previous address are the same
3. Save a reference to the just-accepted socket address
Won't this be a problem if there is only one connection being handled,
going in and out of the poll/accept cycle?
No. accept() only happens on initial connection.
I haven't looked at the implementation of SocketAddress.equals and I may
be confusing things a bit, but I would imagine on a mostly-idle server,
this might cause an error:
1. Client connects from e.g. 127.0.0.1
2. Server accepts, stores 127.0.0.1
3. Client disconnects
4. Client connects from 127.0.0.1
2. Server accepts, throws error that 127.0.0.1 == 127.0.0.1
This would happen pretty frequently for connections through a
reverse-proxy.
Is there a way to differentiate between "I've seen this address before"
and "this is actually a duplicate?"
The address includes the remote port.
My observation is that the port that the client uses will increment for
subsequent connections so in the scenario above previous address will
not equal current address and Tomcat will continue as normal.
You might be able construct a scenario where you could get a legitimate
duplication. My sense is that is even less likely that the bug so from
that point of view having the defensive code is better than not having it.
If we wanted to protect against legitimate duplication I think we'd have
to add some sort of timing constraint. i.e. the duplication has to occur
with some small number of milliseconds. I'm not sure how the
cost/benefit analysis would work out for that sort of change.
Of course, the better option would be to get the bug fixed but my bug
report has been dormant since I raised it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
