Qpid
  1. Qpid
  2. QPID-3772

Qpid broker on Windows allows multiple, simultaneous processes to listen to broker port

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.14
    • Fix Version/s: 0.23
    • Component/s: C++ Broker
    • Labels:
    • Environment:

      Windows broker

      Description

      Socket code on windows allows multiple, simultaneous listening processes on broker port.
      C:\Windows\system32>netstat -anb

      TCP 0.0.0.0:5672 0.0.0.0:0 LISTENING
      [qpidd2.exe]
      TCP 0.0.0.0:5672 0.0.0.0:0 LISTENING
      [qpidd.exe]

      This is a security issue as it allows a rogue process to hijack connections directed to the broker.

      A simple first step is in Socket.cpp to change SO_REUSEADDR to SO_EXCLUSIVEADDRUSE as described in
      http://msdn.microsoft.com/en-us/library/windows/desktop/cc150667%28v=vs.85%29.aspx

        Activity

        Justin Ross made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Hide
        Justin Ross added a comment -
        Show
        Justin Ross added a comment - Released in Qpid 0.24, http://qpid.apache.org/releases/qpid-0.24/index.html
        Hide
        Andrew Stitcher added a comment -

        Tested the patch and it stops multiple versions of the broker being able to start using the same port:
        ...
        2013-05-08 16:06:41 [Broker] critical Unexpected error: Can't bind to [::]:5672: Only one usage of each socket address (protocol/network address/port) is normally permitted. (C:\Users\andrew\Documents\GitHub\qpid\qpid\cpp\src\qpid\sys\windows\WinSocket.cpp:209)
        ...
        Is what we now get in the second instance to start up.

        Show
        Andrew Stitcher added a comment - Tested the patch and it stops multiple versions of the broker being able to start using the same port: ... 2013-05-08 16:06:41 [Broker] critical Unexpected error: Can't bind to [::] :5672: Only one usage of each socket address (protocol/network address/port) is normally permitted. (C:\Users\andrew\Documents\GitHub\qpid\qpid\cpp\src\qpid\sys\windows\WinSocket.cpp:209) ... Is what we now get in the second instance to start up.
        Andrew Stitcher made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Andrew Stitcher [ astitcher ]
        Fix Version/s 0.23 [ 12324273 ]
        Fix Version/s Future [ 12315490 ]
        Resolution Fixed [ 1 ]
        Hide
        Andrew Stitcher added a comment -

        Fixed on trunk in r1480437

        Show
        Andrew Stitcher added a comment - Fixed on trunk in r1480437
        Andrew Stitcher made changes -
        Hide
        Andrew Stitcher added a comment -

        Completely untested patch which just replaces SO_REUSEADDR

        Show
        Andrew Stitcher added a comment - Completely untested patch which just replaces SO_REUSEADDR
        Hide
        Andrew Stitcher added a comment -

        I think this is the solution, not a "first step".

        From my reading of the windows documentation, SO_REUSEADDR isn't needed on windows anyway, but SO_EXCLUSIVEADDRUSE is to stop another process from opening your port.

        Show
        Andrew Stitcher added a comment - I think this is the solution, not a "first step". From my reading of the windows documentation, SO_REUSEADDR isn't needed on windows anyway, but SO_EXCLUSIVEADDRUSE is to stop another process from opening your port.
        Chuck Rolke made changes -
        Field Original Value New Value
        Fix Version/s Future [ 12315490 ]
        Chuck Rolke created issue -

          People

          • Assignee:
            Andrew Stitcher
            Reporter:
            Chuck Rolke
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development