[QPID-6193] [AMQP 1.0 JMS Client] [Java broker] AMQP 1.0 Open frames with channel-max above the signed short range leads to failure - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.30
Fix Version/s: 0.31
Component/s: Broker-J
Labels:
- legacy-jms-amqp-1.0-client

Description

The broker defaults channel-max to 255 or whatever has been configured.

When processing the Open frame sent by the peer, the broker attempts to use the sent channel-max value if it is lower than the configured default.

    public synchronized void receiveOpen(short channel, Open open)
    {

        _channelMax = open.getChannelMax() == null ? _channelMax
                : open.getChannelMax().shortValue() < _channelMax
                        ? open.getChannelMax().shortValue()
                        : _channelMax;

        if (_receivingSessions == null)
        {
            _receivingSessions = new SessionEndpoint[_channelMax + 1];
            _sendingSessions = new SessionEndpoint[_channelMax + 1];
        }

The logic doesnt handle channel-max being an unsigned short, meaning its use of getChannelMax().shortValue() may yield negative values for those outwith the signed range upper limit.

For example, if the peer sends 65535 (possibly be default due to setting a later field in its Open frame) this will yield -1, which then has 1 added to it to create a 0-length array, leading to ArrayIndexOutOfBoundsException when the first Begin frame arrives. The following is output to stdout when this occurs:

[Broker] BRK-1004 : Qpid Broker Ready
00 53 11 c0 0b 05 40 52 01 43 43 70 00 00 04 00 
java.lang.ArrayIndexOutOfBoundsException: 0
	at org.apache.qpid.amqp_1_0.transport.ConnectionEndpoint.receiveBegin(ConnectionEndpoint.java:569)
	at org.apache.qpid.amqp_1_0.type.transport.Begin.invoke(Begin.java:226)
	at org.apache.qpid.amqp_1_0.transport.ConnectionEndpoint.receive(ConnectionEndpoint.java:802)
	at org.apache.qpid.amqp_1_0.framing.FrameHandler.parse(FrameHandler.java:241)
	at org.apache.qpid.server.protocol.v1_0.ProtocolEngine_1_0_0_SASL$4.run(ProtocolEngine_1_0_0_SASL.java:384)
	at org.apache.qpid.server.protocol.v1_0.ProtocolEngine_1_0_0_SASL$4.run(ProtocolEngine_1_0_0_SASL.java:380)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at org.apache.qpid.server.protocol.v1_0.ProtocolEngine_1_0_0_SASL.received(ProtocolEngine_1_0_0_SASL.java:379)
	at org.apache.qpid.server.protocol.v1_0.ProtocolEngine_1_0_0_SASL.received(ProtocolEngine_1_0_0_SASL.java:66)
	at org.apache.qpid.server.protocol.MultiVersionProtocolEngine.received(MultiVersionProtocolEngine.java:153)
	at org.apache.qpid.server.protocol.MultiVersionProtocolEngine.received(MultiVersionProtocolEngine.java:51)
	at org.apache.qpid.transport.network.io.IoReceiver.run(IoReceiver.java:161)
	at java.lang.Thread.run(Thread.java:745)

Attachments

Issue Links

is duplicated by

QPID-6153 [JMS 1.0 Client] Connection store channel max as a signed short while the value is an unsigned short

Resolved

Activity

People

Assignee:: Unassigned

Reporter:: Robbie Gemmell

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Oct/14 11:03

Updated:: 14/Mar/17 12:37

Resolved:: 05/Nov/14 20:28