Qpid
  1. Qpid
  2. QPID-4021

Badly behaved clients can still clog up the broker

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.17
    • Fix Version/s: 0.23
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.

      The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.

        Issue Links

          Activity

          Andrew Stitcher created issue -
          Andrew Stitcher made changes -
          Field Original Value New Value
          Affects Version/s 0.17 [ 12320179 ]
          Component/s C++ Broker [ 12311395 ]
          Andrew Stitcher made changes -
          Link This issue relates to QPID-2518 [ QPID-2518 ]
          Hide
          Andrew Stitcher added a comment -

          This is CVE-2012-2145

          Show
          Andrew Stitcher added a comment - This is CVE-2012-2145
          Hide
          Andrew Stitcher added a comment -

          With the fix for QPID-4854 the trunk code (for 0.23) now will time out the initial protocol negotiation until the connection is fully authenticated and heartbeats (if set) are negotiated.

          Show
          Andrew Stitcher added a comment - With the fix for QPID-4854 the trunk code (for 0.23) now will time out the initial protocol negotiation until the connection is fully authenticated and heartbeats (if set) are negotiated.
          Andrew Stitcher made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 0.23 [ 12324273 ]
          Resolution Fixed [ 1 ]
          Rob Godfrey made changes -
          Link This issue relates to QPID-4925 [ QPID-4925 ]
          Hide
          Justin Ross added a comment -
          Show
          Justin Ross added a comment - Released in Qpid 0.24, http://qpid.apache.org/releases/qpid-0.24/index.html
          Justin Ross made changes -
          Status Resolved [ 5 ] Closed [ 6 ]

            People

            • Assignee:
              Unassigned
              Reporter:
              Andrew Stitcher
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development