You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Andrew Stitcher (JIRA)" <ji...@apache.org> on 2012/05/25 18:21:22 UTC

[jira] [Created] (QPID-4021) Badly behaved clients can still clog up the broker

Andrew Stitcher created QPID-4021:
-------------------------------------

             Summary: Badly behaved clients can still clog up the broker
                 Key: QPID-4021
                 URL: https://issues.apache.org/jira/browse/QPID-4021
             Project: Qpid
          Issue Type: Bug
            Reporter: Andrew Stitcher


The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.

The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

[jira] [Commented] (QPID-4021) Badly behaved clients can still clog up the broker

Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/QPID-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283723#comment-13283723 ] 

Andrew Stitcher commented on QPID-4021:
---------------------------------------

This is CVE-2012-2145
                
> Badly behaved clients can still clog up the broker
> --------------------------------------------------
>
>                 Key: QPID-4021
>                 URL: https://issues.apache.org/jira/browse/QPID-4021
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.17
>            Reporter: Andrew Stitcher
>
> The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.
> The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

[jira] [Updated] (QPID-4021) Badly behaved clients can still clog up the broker

Posted by "Andrew Stitcher (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/QPID-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Stitcher updated QPID-4021:
----------------------------------

          Component/s: C++ Broker
    Affects Version/s: 0.17
    
> Badly behaved clients can still clog up the broker
> --------------------------------------------------
>
>                 Key: QPID-4021
>                 URL: https://issues.apache.org/jira/browse/QPID-4021
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.17
>            Reporter: Andrew Stitcher
>
> The recent code that timeouts out new connections that have not negotiated the protocol within (a default) 2 seconds still leaves a gap where badly behaved applications can tie up the broker.
> The timeout should really be till either heartbeats are activated in which case they will take over the role of timing out idle connections. Or until the connection is authenticated in which case the policy on admitting users should take care of limiting the connections.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org