Opened 5 years ago

Closed 5 years ago

#1421 closed defect (fixed)

udp AIOOB

Reported by: Eche|on Owned by: zzz
Priority: minor Milestone: 0.9.18
Component: router/transport Version: 0.9.17
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

06.12.14 22:31:26 CRIT [receiver 5/5] .transport.udp.MessageReceiver?: Error dealing with a message: IB Message: 1420182583 from [Hash: xk3l5QVexh6sleGQdKoUVMqwqNfx94IOq0mrqVCWZTY=] completely received with 76 bytes lifetime: 0

java.lang.ArrayIndexOutOfBoundsException?
at net.i2p.data.SDSCache.get(SDSCache.java:164)
at net.i2p.data.Hash.create(Hash.java:54)
at net.i2p.data.i2np.DatabaseLookupMessage?.readMessage(DatabaseLookupMessage?.java:364)
at net.i2p.data.i2np.I2NPMessageImpl.readMessage(I2NPMessageImpl.java:380)
at net.i2p.data.i2np.I2NPMessageImpl.fromRawByteArray(I2NPMessageImpl.java:419)
at net.i2p.router.transport.udp.MessageReceiver?.readMessage(MessageReceiver?.java:215)
at net.i2p.router.transport.udp.MessageReceiver?.loop(MessageReceiver?.java:160)
at net.i2p.router.transport.udp.MessageReceiver?$Runner.run(MessageReceiver?.java:82)
at java.lang.Thread.run(Unknown Source)
at net.i2p.util.I2PThread.run(I2PThread.java:84)

Subtickets

Change History (1)

comment:1 Changed 5 years ago by zzz

Resolution: fixed
Status: newclosed

This is caused by a malformed DatabaseLookupMessage?.

orignal says that long ago, i2pd did generate bad DLMs, caused by an endian swap in the peers count, which caused the DLM read method to run off the end of the array. and AIOOBE. This is one piece of evidence that there are old versions of i2pd running out there.

As the message could have been sent out a tunnel, the router xk3l is not necessarily the originator.

I've reduced the log level from CRIT to ERROR in 72542ce164d7536871b8a4dbd5001e48d90668ac which will be 0.9.17-3 once the version is bumped.

So I don't think this is a bug in the Java router, declaring this fixed with the log level change.

Note: See TracTickets for help on using tickets.