Handle invalid STOMP content-length header value

After this change if a content-length header is provided but is less
than 0 or cannot be parsed as a number, it is ignored and the body
is read sequentially, i.e. until we reach a null byte terminator.

This provides better protection against clients that may set the
content-length header in error.

Issue: SPR-11528
This commit is contained in:
Rossen Stoyanchev
2014-03-10 22:07:39 -04:00
parent cff23b84ae
commit 13af188bdc
2 changed files with 44 additions and 5 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2013 the original author or authors.
* Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@ import org.springframework.messaging.simp.SimpMessageType;
import org.springframework.messaging.support.MessageBuilder;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
/**
* Decodes STOMP frames from a {@link ByteBuffer}. If the buffer does not contain
@@ -151,9 +152,17 @@ public class StompDecoder {
}
private byte[] readPayload(ByteBuffer buffer, MultiValueMap<String, String> headers) {
String contentLengthString = headers.getFirst("content-length");
if (contentLengthString != null) {
int contentLength = Integer.valueOf(contentLengthString);
Integer contentLength = null;
if (headers.containsKey("content-length")) {
String rawContentLength = headers.getFirst("content-length");
try {
contentLength = Integer.valueOf(rawContentLength);
}
catch (NumberFormatException ex) {
logger.warn("Ignoring invalid content-length header value: '" + rawContentLength + "'");
}
}
if (contentLength != null && contentLength >= 0) {
if (buffer.remaining() > contentLength) {
byte[] payload = new byte[contentLength];
buffer.get(payload);