Bug #101386 for RPC-XML: Malformed input crashes server

Wed Jan 07 17:09:51 2015 w32.perforin [...] gmail.com - Ticket created

Subject:

Malformed input crashes server

Hi When sending malformed/unclosed namespaces the server simply chrashes. Tested under 62bit and 32bit, Debian GNU/Linux 8.0 and Ubuntu 14.04.1 with Perl v5.18.2 and v5.20.1 Here's my server example and custom client for testing. You can play around with the namespaces.

Subject:

crash_rpc_server.pl

#!/usr/bin/env perl use IO::Socket::INET; $msg =<<'EOF'; <?xml version="1.0" encoding="us-ascii"?> <methodCall> <methodName>chrash.this by a simple < </methodName> <params> <param><value><string>Malformed string</string></value></param> </params> </methodCall> EOF $socket = new IO::Socket::INET(PeerAddr => '127.0.0.1', PeerPort => 8001, Type => SOCK_STREAM, Proto => 'tcp') || die $!; print $socket "POST / HTTP/1.0\r\n"; print $socket "Accept-Encoding: deflate\r\n"; print $socket "Host: 127.0.0.1:8001\r\n"; print $socket "User-Agent: RPC::XML::Client/1.42 libwww-perl/6.08\r\n"; print $socket "Content-Length: " , length $msg , "\r\n"; print $socket "Content-Type: text/xml\r\n\n"; print $socket $msg;

Subject:

simple_rpc_server.pl

#!/usr/bin/env perl use RPC::XML; use RPC::XML::Server; $daemon = RPC::XML::Server->new(host => '127.0.0.1', port => 8001 ); $daemon->add_method({ name => 'chrash.this', signature => ['string'], code => \&chrash_this }); $daemon->server_loop(); sub chrash_this { return "foobar"; }

Wed Jan 07 17:20:10 2015 rjray [...] blackperl.com - Status changed from 'new' to 'open'

Wed Jan 07 17:20:10 2015 rjray [...] blackperl.com - Taken

Wed Jan 07 19:41:02 2015 rjray [...] blackperl.com - Correspondence added

On Wed Jan 07 17:09:51 2015, w32.perforin@gmail.com wrote: Show quoted text

> Hi > > When sending malformed/unclosed namespaces the server simply chrashes. > > Tested under 62bit and 32bit, Debian GNU/Linux 8.0 and Ubuntu 14.04.1 > with Perl v5.18.2 and v5.20.1 > > Here's my server example and custom client for testing. You can play > around with the namespaces.

It turns out that this is due to the client immediately exiting after sending the message, without reading the response from the server. The server catches the parse error, but when it tries to send an error response to the client the socket is already closed and a SIGPIPE is triggered. That said, I can put in better handling in the relevant places, and using the send_error() method from HTTP::Daemon isn't that useful since it creates an HTML message and any client is not going to be expecting HTML in the response. So I need to re-do most of the error handling/reporting in this section anyway. Randy -- Randy J. Ray rjray@blackperl.com randy.j.ray@gmail.com