Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
proton-0.11.1
-
None
Description
A rogue client creates a session on a channel higher than the channel-max exchanged at connection open.
Mon Apr 11 10:34:27 2016 SERVER (trace) [1]:pn_session: too many sessions: 1 channel_max is 0 (/home/chug/git/qpid-dispatch/src/server.c:116) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff793b84a in pn_do_begin (transport=0x6a4bd0, frame_type=0 '\000', channel=1, args=0x7c1f60, payload=0x7fffffffd2c0) at /home/chug/git/qpid-proton/proton-c/src/transport/transport.c:1205 1205 ssn->state.incoming_transfer_count = next; Missing separate debuginfos, use: debuginfo-install nss-mdns-0.10-15.fc21.x86_64 (gdb) (gdb) list 1200 // XXX: what if session is NULL? 1201 ssn = (pn_session_t *) pn_hash_get(transport->local_channels, remote_channel); 1202 } else { 1203 ssn = pn_session(transport->connection); 1204 } 1205 ssn->state.incoming_transfer_count = next; 1206 pni_map_remote_channel(ssn, channel); 1207 PN_SET_REMOTE(ssn->endpoint.state, PN_REMOTE_ACTIVE); 1208 pn_collector_put(transport->connection->collector, PN_OBJECT, ssn, PN_SESSION_REMOTE_OPEN); 1209 return 0; (gdb) p ssn $1 = (pn_session_t *) 0x0 (gdb)
Session is null and SEGV is what happens.