Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 667735

Summary: Messaging allows invalid encoding of strings with length > 64K [c++]
Product: Red Hat Enterprise MRG Reporter: Gordon Sim <gsim>
Component: qpid-cppAssignee: Ken Giusti <kgiusti>
Status: CLOSED ERRATA QA Contact: Petr Matousek <pematous>
Severity: urgent Docs Contact:
Priority: high    
Version: betaCC: freznice, iboverma, jneedle, kgiusti, mcressma, tross
Target Milestone: 1.3.2-RC2   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-mrg-0.7.946106-27 Doc Type: Bug Fix
Doc Text:
Cause QPID clients that send a message containing a string which is greater than 65535 bytes in length. Consequence The client incorrectly converts the string to a binary data type, which loses the correct type of the data. Fix QPID does not support strings greater than 65535 bytes in length. The encoding code now checks the length of all strings sent by clients, and enforces this length limit. Result Should a client attempt to send a string with a length greater than 65535 bytes, an exception shall be thrown.
 Story Points: ---
Clone Of: 640312 Environment:
Last Closed: 2011-02-15 12:12:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 640312    
Bug Blocks:    
Attachments:
Description Flags
The c++ console which calls the echo method on the agent none

Description Gordon Sim 2011-01-06 16:17:15 UTC 
Original bug covers two components, c++ broker+client and python client, hence cloning this copy to cover the c++ part.

+++ This bug was initially created as a clone of Bug #640312 +++

Description of problem:

The 0.10 codecs (both C++ and python) will allow the encoding of a string data type with a length that is greater than 64K.  The 0.10 codec only defines string encodings that allow for strings up to 64K in length (length is encoded as a 16-bit unsigned integer).


Version-Release number of selected component (if applicable):
beta

How reproducible:
100%

Steps to Reproduce:
1. Send a message containing a string of length > 65535 bytes long.

  
Actual results:
Varies by implementation - C++ appears to convert the string to a vbin type.  Python appears to corrupt the encoded length value. 

Expected results:
0.10 does not support strings > 65535 bytes in length - attempting to send message containing such a string should fail and notify the calling application (e.g. throw an exception).

Additional info:

--- Additional comment from kgiusti on 2010-10-05 10:34:57 EDT ---

Created attachment 451681 [details]
A V2-based agent that provides a string echo method.

Can be used to reproduce the string encoding error.  Run the agent like this:

./run_nozzle -b host:port -n 1 -t 10 -q

A client can then query the agent for a data object _class="data", and invoke the echo method on the data object.  The method takes a string argument.  Attempting to invoke the method with a string with length > 65K will result in a timeout error.  It should fail immediately with an error indicating the string is too long.

Example client code:

#!/usr/bin/python                                                               

# $ ./big-echo.py mrg2.lab.bos.redhat.com 20                                    

from qmf.console import *

import sys

url, size = sys.argv[1:3]
size = int(size)

s = Session()
b = s.addBroker(url)
a = b.getAgents()[1]
d = a.getObjects(_class="data")[0]

d.echo(1, "x" * size)

s.delBroker(b)

--- Additional comment from kgiusti on 2010-10-27 09:39:52 EDT ---

Created attachment 455973 [details]
Proposed fix.

Proposed patch: will throw an exception if an attempt is to encode a value that cannot be represented by the target type.

--- Additional comment from gsim on 2010-10-27 11:01:39 EDT ---

Comment on attachment 455973 [details]
Proposed fix.

Seems reasonable fix to me.

--- Additional comment from kgiusti on 2010-10-28 11:26:47 EDT ---

Upstream JIRA:

https://issues.apache.org/jira/browse/QPID-2916

--- Additional comment from kgiusti on 2010-10-29 13:27:05 EDT ---

Upstream fix:

http://svn.apache.org/viewvc?view=revision&revision=1028501
http://svn.apache.org/viewvc?view=revision&revision=1028812
Comment 1 Ken Giusti 2011-01-24 18:14:02 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    QPID clients that send a message containing a string which is greater than 65535 bytes in length.
Consequence
    The client incorrectly converts the string to a binary data type, which loses the correct type of the data.
Fix
    QPID does not support strings greater than 65535 bytes in length.  The encoding code now checks the length of all strings sent by clients, and enforces this length limit.
Result
    Should a client attempt to send a string with a length greater than 65535 bytes, an exception shall be thrown.
Comment 2 Frantisek Reznicek 2011-01-27 10:55:00 UTC 
Created attachment 475576 [details]
The c++ console which calls the echo method on the agent

g++ -Wall console.cpp -lqpidclient -lqmfconsole -o console

Usage:
  ./console N where N is size of the string passed to nozzle/data.echo() method
Comment 5 Petr Matousek 2011-02-01 13:54:18 UTC 
The current observations highlights that qmf console ran against v1 qmf agent (broker) can:
- timeout
- crash (SIGSEGV)
- exception qpid::framing::OutOfBounds
- exception 'Top Level Exception: Could not encode string of 65536 bytes as uint16_t string.' which is expected behavior


The QMF (attached) console calls echo() method with string of length N. See details in comment 4.


Further details on QMF C++ console crash will come soon...


rhel4 (similar on rhel5)

N:
- 0 <= OK < 65301 ($? = 0) 

- 65300 < timeout < 65456 (rh4_64)
  Result: code=4097 text=Method call timed out

- 65455 < Out of Bounds < 65471/65480(rh4_64/rh4_32)
  Top Level Exception: Out of Bounds
  terminate called after throwing an instance of 'qpid::framing::OutOfBounds'
    what():  Out of Bounds
  Aborted

- 65471/65480 < Segfault < 65536
  Segmentation fault

- 65535 < OK < infinity
  Call echo method...
  Top Level Exception: Could not encode string of 65536 bytes as uint16_t string. (qpid/framing/Buffer.cpp:266) 


# ./console 10
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
Result: code=0 text=OK
   Output Arg: body => **********
   Output Arg: sequence => 1
# echo $?
0

# ./console 65440
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
Result: code=4097 text=Method call timed out
# echo $?
0

# ./console 65480
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
terminate called after throwing an instance of 'qpid::framing::OutOfBounds'
  what():  Out of Bounds
Aborted
# echo $?
134

# ./console 65480
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
Segmentation fault
# echo $?
139

# ./console 65481
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
Segmentation fault
# echo $?
139

# ./console 65536
Creating SessionManager
Adding broker
Get agents: (1):
agent[0] BrokerAgent
Broker: org.apache.qpid.broker:broker[0-0-1-0-2] amqp-broker
Call echo method...
Top Level Exception: Could not encode string of 65536 bytes as uint16_t string. (qpid/framing/Buffer.cpp:266)
# echo $?
0
Comment 9 Petr Matousek 2011-02-02 10:16:16 UTC 
During verification of this BZ some new issues regarding incorrect string handling were found. The result is that two new bugs was open: BZ674392, BZ674390.

The issue has been fixed, tested on RHEL 4.9 / 5.6 i386 / x86_64 on packages:
python-qpid-0.7.946106-15.el5
qpid-cpp-client-0.7.946106-27.el5
qpid-cpp-client-devel-0.7.946106-27.el5
qpid-cpp-client-devel-docs-0.7.946106-27.el5
qpid-cpp-client-ssl-0.7.946106-27.el5
qpid-cpp-mrg-debuginfo-0.7.946106-27.el5
qpid-cpp-server-0.7.946106-27.el5
qpid-cpp-server-cluster-0.7.946106-27.el5
qpid-cpp-server-devel-0.7.946106-27.el5
qpid-cpp-server-ssl-0.7.946106-27.el5
qpid-cpp-server-store-0.7.946106-27.el5
qpid-cpp-server-xml-0.7.946106-27.el5
qpid-java-client-0.7.946106-14.el5
qpid-java-common-0.7.946106-14.el5
qpid-java-example-0.7.946106-14.el5
qpid-tools-0.7.946106-12.el5


VERIFIED
Comment 10 errata-xmlrpc 2011-02-15 12:12:19 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0217.html