Commit c9cd1e52 authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Fixed DoS attack that could bring the server down. JM-1289

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/branches/openfire_3_5_0@10031 b35dd754-fafc-0310-a699-88a17e54d16e
parent 9d4ff701
...@@ -188,6 +188,7 @@ hr { ...@@ -188,6 +188,7 @@ hr {
<h3>Openfire Bug Fixes</h3> <h3>Openfire Bug Fixes</h3>
<ul> <ul>
<li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1289'>JM-1289</a>] - <font color="red"><b>!</b></font> Fixed DoS attack that could bring the server down.</li>
<li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1175'>JM-1175</a>] - Fixed double-byte characters problem. <b>(4 votes)</b></li> <li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1175'>JM-1175</a>] - Fixed double-byte characters problem. <b>(4 votes)</b></li>
<li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1274'>JM-1274</a>] - Fixed sending of presence packets when using direct presences.</li> <li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1274'>JM-1274</a>] - Fixed sending of presence packets when using direct presences.</li>
<li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1275'>JM-1275</a>] - Messages sent to bare JIDs were not considering directed presences.</li> <li>[<a href='http://www.igniterealtime.org/issues/browse/JM-1275'>JM-1275</a>] - Messages sent to bare JIDs were not considering directed presences.</li>
......
/**
* $RCSfile: ConnectionManagerImpl.java,v $
* $Revision: $
* $Date: $
*
* Copyright (C) 2008 Jive Software. All rights reserved.
*
* This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution.
*/
package org.jivesoftware.openfire.net;
import org.apache.mina.common.IoFilterAdapter;
import org.apache.mina.common.IoSession;
import org.jivesoftware.util.Log;
import org.jivesoftware.util.JiveGlobals;
import java.io.IOException;
import java.util.Date;
/**
* MINA filter that will close sessions that are failing to read outgoing traffic
* and whose outgoing queue is around 5MB. Use the system property <tt>session.stalled.cap</tt>
* to set the max number of bytes allowed in the outgoing queue of a session before considering
* it stalled.
*
* @author Gaston Dombiak
*/
public class StalledSessionsFilter extends IoFilterAdapter {
private static final int bytesCap = JiveGlobals.getIntProperty("session.stalled.cap", 5242880);
public void filterWrite(NextFilter nextFilter, IoSession session, WriteRequest writeRequest)
throws Exception {
// Get number of pending requests
int pendingBytes = session.getScheduledWriteBytes();
if (pendingBytes > bytesCap) {
// Get last time we were able to send something to the connected client
long writeTime = session.getLastWriteTime();
int pendingRequests = session.getScheduledWriteRequests();
Log.debug("About to kill session with pendingBytes: " + pendingBytes + " pendingWrites: " +
pendingRequests + " lastWrite: " + new Date(writeTime) + "session: " + session);
// Close the session and throw an exception
session.close();
throw new IOException("Closing session that seems to be stalled. Preventing OOM");
}
// Call next filter (everything is fine)
super.filterWrite(nextFilter, session, writeRequest);
}
}
/** /**
* $RCSfile: ConnectionManagerImpl.java,v $ * $RCSfile: ConnectionManagerImpl.java,v $
* $Revision: 3159 $ * $Revision: $
* $Date: 2005-12-04 22:56:40 -0300 (Sun, 04 Dec 2005) $ * $Date: $
* *
* Copyright (C) 2007 Jive Software. All rights reserved. * Copyright (C) 2008 Jive Software. All rights reserved.
* *
* This software is published under the terms of the GNU Public License (GPL), * This software is published under the terms of the GNU Public License (GPL),
* a copy of which is included in this distribution. * a copy of which is included in this distribution.
...@@ -324,6 +324,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana ...@@ -324,6 +324,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
socketAcceptor.getDefaultConfig().setThreadModel(threadModel); socketAcceptor.getDefaultConfig().setThreadModel(threadModel);
// Add the XMPP codec filter // Add the XMPP codec filter
socketAcceptor.getFilterChain().addFirst("xmpp", new ProtocolCodecFilter(new XMPPCodecFactory())); socketAcceptor.getFilterChain().addFirst("xmpp", new ProtocolCodecFilter(new XMPPCodecFactory()));
// Kill sessions whose outgoing queues keep growing and fail to send traffic
socketAcceptor.getFilterChain().addAfter("xmpp", "outCap", new StalledSessionsFilter());
} }
} }
...@@ -408,6 +410,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana ...@@ -408,6 +410,8 @@ public class ConnectionManagerImpl extends BasicModule implements ConnectionMana
// Add the XMPP codec filter // Add the XMPP codec filter
sslSocketAcceptor.getFilterChain().addFirst("xmpp", new ProtocolCodecFilter(new XMPPCodecFactory())); sslSocketAcceptor.getFilterChain().addFirst("xmpp", new ProtocolCodecFilter(new XMPPCodecFactory()));
sslSocketAcceptor.getFilterChain().addFirst("threadModel", executorFilter); sslSocketAcceptor.getFilterChain().addFirst("threadModel", executorFilter);
// Kill sessions whose outgoing queues keep growing and fail to send traffic
sslSocketAcceptor.getFilterChain().addAfter("xmpp", "outCap", new StalledSessionsFilter());
// Add the SSL filter now since sockets are "borned" encrypted in the old ssl method // Add the SSL filter now since sockets are "borned" encrypted in the old ssl method
SSLContext sslContext = SSLContext.getInstance(algorithm); SSLContext sslContext = SSLContext.getInstance(algorithm);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment