Robbin, Please, see:
http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11 > 1: > So connecting with an unallowed client terminates the VM. Fixed. > 2: > Starting with an bad allow filter terminates the VM when connecting a > client. Moved allowed parameter (and parser call) to StartListening. -Dmitry On 2017-03-10 15:56, Robbin Ehn wrote: > Hi Dmitry, > > I took a look at this, I have two practical issues: > > 1: > [rehn@rehn-ws dev]$ java > -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6 > -cp runs ForEver > Listening for transport dt_socket at address: 9999 > ERROR: transport error 202: peer not allowed to connect: Success > JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal > error [transport.c:358] > > So connecting with an unallowed client terminates the VM. > > 2: > [rehn@rehn-ws dev]$ java > -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6 > -cp runs ForEver > Listening for transport dt_socket at address: 9999 > ERROR: transport error 202: unable to parse list of allowed peers: Success > JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal > error [transport.c:358] > > Starting with an bad allow filter terminates the VM when connecting a > client. > > > Connecting with an unallowed ip/port should not terminate the VM and we > should verify allow filter directly at startup. > > Thanks > > /Robbin > > On 02/28/2017 10:41 AM, Dmitry Samersoff wrote: >> Everybody, >> >> Please review: >> >> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/ >> >> These changes introduce new parameter[1] of the socket transport - >> allow. Users can explicitly specify a list of hosts that allowed to >> connect to jdwp server and it's the second part of JDWP hardening[2]. >> >> No restrictions are applied by default now but I'll file a separate CR >> to restrict list of allowed peers to localhost by default. >> >> Also these changes implement versioning for jdwp transport and therefor >> simplify feature development of jdwp. >> >> >> 1. Example command line: >> >> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n, >> address=*,allow="127.0.0.0/8;192.168.0.0/24" >> >> Possible values for allow parameter: >> * - accept connections from everywhere. >> N.N.N.N - accept connections from this IP address only >> N.N.N.N/nn - accept connections from particular ip subnet >> >> >> >> 2. JDK-8052136 JDWP hardening >> >> -Dmitry >> -- Dmitry Samersoff Oracle Java development team, Saint Petersburg, Russia * I would love to change the world, but they won't give me the sources.
