4 Replies Latest reply on May 8, 2017 4:41 AM by Michael

    Smack disconnects if <priority> is out of range

    Michael

      I'd like to report a potential issue.  It looks like [SMACK-60] Invalid priority shouldn't crash connection.

       

      Smack does not seem to correctly check the value of the <priority/> element of a received presence stanza.

      The value of the <priority/> element in a presence stanza MUST be an integer between -128 and +127.

       

      If Smack receives a message with a value that is out of range the client gets disconnected (instead of setting it to 0).

      See commit Assume Presence priority to be zero when priority is out of range. SM… · igniterealtime/Smack@7b62abf · GitHub

        }
         else if (elementName.equals("priority")) {
         try {
         int priority = Integer.parseInt(parser.nextText());
        presence.setPriority(priority);
        }
         catch (NumberFormatException nfe) { }
         catch (IllegalArgumentException iae) {
         // Presence priority is out of range so assume priority to be zero
        presence.setPriority(0);
        }
        }

      There is no value check anymore in https://github.com/igniterealtime/Smack/blob/master/smack-core/src/main/java/org /jivesoftware/smack/util/PacketParserUtils.java

      You can reproduce the issue as follows:

      • Smack client
      • Psi clients (set the priority to a value that is out of range)
      • Both clients join a chat room
      • Psi sends a message with wrong <priority/> to the chat room
      • Smack client will get disconnected -- user will no longer be allowed to join the room.

       

      Can someone please confirm this?