[SERVER-30694] Large legacy wire protocol messages cause crash in ServiceStateMachine Created: 16/Aug/17  Updated: 20/Sep/17  Resolved: 24/Aug/17

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: 3.5.11
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kaloian Manassiev Assignee: Sara Golemon
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-30473 Denial of service from wild Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

var st = new ShardingTest({shards: 1});
 
var data15MB = 'x'.repeat(15 * 1024 * 1024);
var inserts = [
        {ukey: 1, data: data15MB},
        {ukey: 2, data: data15MB},
        {ukey: -1, data: data15MB},
        {ukey: -2, data: data15MB}
];
 
var mongosWithLegacyWrites = new Mongo(st.s0.name);
mongosWithLegacyWrites.forceWriteMode('legacy');
 
var testColl = mongosWithLegacyWrites.getCollection('TestDB.TestColl');
assert.writeOK(testColl.insert(inserts));

Participants:

 Description   

If a large (more than 48MB) wire protocol message is sent against the server it crashes with the following message:

[js_test:bulk_insert] 2017-08-16T12:20:58.706-0400 s20016| 2017-08-16T12:20:58.706-0400 I NETWORK  [conn2] recv(): message msgLen 62914792 is invalid. Min 16 Max: 48000000
[js_test:bulk_insert] 2017-08-16T12:20:58.706-0400 s20016| 2017-08-16T12:20:58.706-0400 F -        [conn2] Invariant failure !_inMessage.empty() src\mongo\transport\service_stat
e_machine.cpp 297
[js_test:bulk_insert] 2017-08-16T12:20:58.706-0400 s20016| 2017-08-16T12:20:58.706-0400 F -        [conn2]
[js_test:bulk_insert] 2017-08-16T12:20:58.706-0400 s20016|
[js_test:bulk_insert] 2017-08-16T12:20:58.707-0400 s20016| ***aborting after invariant() failure
[js_test:bulk_insert] 2017-08-16T12:20:58.707-0400 s20016|
[js_test:bulk_insert] 2017-08-16T12:20:58.707-0400 s20016|



 Comments   
Comment by Sara Golemon [ 22/Aug/17 ]

Fixed by SERVER-30473

Generated at Thu Feb 08 04:24:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.