[
https://issues.apache.org/jira/browse/AMQ-5777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14546129#comment-14546129
]
Timothy Bish commented on AMQ-5777:
-----------------------------------
Keep in mind the STOMP frames are unmarshaled in two different places depending
on the protocol. For TCP and SSL the unmarshal is done in the StompWireFormat
and for NIO and NIO+SSL it is done in StompCodec. Having just looked briefly
it looks as though the maxDataLength gets treated differently depending on
whether content-length is set in the message headers which seems wrong to me,
the data length seems to have been intended to only apply against the actual
message body, but if no content-length it looks like it might get applied
against the entire frame size (would need a longer look to confirm that).
I think your work should probably resolve the above and use maxFrameSize as a
consistent control on the bytes being read in during the unmarshal in either
location and maxDataLength should be applied as a consistent control on only
the maximum length of the message body.
> Implement and test maxFrameSize for STOMP
> -----------------------------------------
>
> Key: AMQ-5777
> URL: https://issues.apache.org/jira/browse/AMQ-5777
> Project: ActiveMQ
> Issue Type: Sub-task
> Components: Broker
> Affects Versions: 5.11.1
> Reporter: Christopher L. Shannon
>
> Implement and test {{maxFameSize}} for STOMP to help prevent DOS attacks.
> Testing should include TCP, SSL, NIO and NIO+SSL, etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
