[
https://issues.apache.org/jira/browse/AMQ-5777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14546210#comment-14546210
]
Christopher L. Shannon commented on AMQ-5777:
---------------------------------------------
Yup, I realized that I needed to modify {{StompCodec}} as well shortly after I
sent my last message. I did a quick search on setMaxDataLength to see where
else it was called and found that class.
When I was looking at this earlier today it did appear that both
{{StompWireFormat}} and {{StompCodec}} properly check the content length on
just the message body in both the case when the content-length is set in the
header, and when it isn't. The action and headers are read and parsed from the
byte stream and have their own checks applied against them first. Then the
content length is verified against the remaining bytes on the stream so it
should only be checking the content. However, I'm going to test all cases and
make sure it actually works properly and if it doesn't I will fix it.
Right now I have a preliminary working patch that applies maxFrameSize
consistently in both {{StompWireFormat}} and {{StompCodec}} and currently tests
for TCP, SSL, NIO, and NIO+SSL are passing. However, I want to do some more
extensive testing and also double check that the maxDataLength only applies to
the actual content before pushing up my patch. I should be able to push a pull
request sometime Monday for you to take a look.
> Implement and test maxFrameSize for STOMP
> -----------------------------------------
>
> Key: AMQ-5777
> URL: https://issues.apache.org/jira/browse/AMQ-5777
> Project: ActiveMQ
> Issue Type: Sub-task
> Components: Broker
> Affects Versions: 5.11.1
> Reporter: Christopher L. Shannon
>
> Implement and test {{maxFameSize}} for STOMP to help prevent DOS attacks.
> Testing should include TCP, SSL, NIO and NIO+SSL, etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
