Opened 6 years ago

Last modified 6 years ago

#15528 new defect

BOSH http parser does not appear to check the Content-Length header

Reported by: Zash Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.3 Keywords: bosh
Cc:

Description

Due to an issue with pipelining, we discovered that when two HTTP responses are sent at the same time, Pidgin sees this as one response. Particularly when keep-alive kicks in.

Debug log looks like this:

(02:36:33) jabber: RecvBOSH (325): <body xmlns:stream='http://etherx.jabber.org/streams' xmpp:version='1.0'
xmlns:xmpp='urn:xmpp:xbosh' inactivity='60' requests='2' polling='5'
secure='true' hold='1' ver='1.6' authid='63cd70ac-4493-4cc3-92e2-2aad7daeb755'
wait='60' sid='63cd70ac-4493-4cc3-92e2-2aad7daeb755'
xmlns='http://jabber.org/protocol/httpbind'></body>HTTP/1.1 200 OK
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
Content-Length: 453

<body xmlns:stream='http://etherx.jabber.org/streams' xmpp:version='1.0'
xmlns:xmpp='urn:xmpp:xbosh' inactivity='60' requests='2' polling='5'
secure='true' hold='1' ver='1.6' authid='63cd70ac-4493-4cc3-92e2-2aad7daeb755'
wait='60' sid='63cd70ac-4493-4cc3-92e2-2aad7daeb755' xmlns='http://jabber.org/protocol/httpbind'>
<iq id='purpled3129304' type='result' to='user@host/Pidgin' xmlns='jabber:client'/>
</body>

lines broken for less scrolling

Change History (1)

comment:1 Changed 6 years ago by darkrain42

An extremely quick glance at bosh.c suggests it is trying to process the content-length (I make no statement as to whether it's doing it properly). I think it's more likely (and again, a very quick skim seems to confirm this) that the issue here is that it processes the first response and then doesn't bother to check and see that there's more data remaining in the buffer (to treat as a second response), and I think it then throws away the data (oops...)

Consensus from the XSF summit was that pipelining should just not be used, so the fix here is probably to just remove that functionality and always start with two HTTP connections.

From Zash (re how to reproduce this):

(07:51:02) Zash: It sends a ping before getting a reply to a held request. When the held request times out or has something to say, both request return, as the later has a ping which gives a pong.
(07:51:44) Zash: And then the two replies get merged like that
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!