[Sblim-commit] jsr48-client/src/org/sblim/cimclient WBEMListenerSBLIM.java, 1.11, 1.11.8.1 WBEMConfigurationProperties.java, 1.29.2.1, 1.29.2.2

[Dave B. <bla...@us...>]

Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient
In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv7383/src/org/sblim/cimclient

Modified Files:
      Tag: CIM_CLIENT_2_1_4_M
	WBEMListenerSBLIM.java WBEMConfigurationProperties.java 
Log Message:
2635 Slowloris DoS attack for CIM indication listener port

Index: WBEMConfigurationProperties.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/WBEMConfigurationProperties.java,v
retrieving revision 1.29.2.1
retrieving revision 1.29.2.2
diff -u -d -r1.29.2.1 -r1.29.2.2
--- WBEMConfigurationProperties.java	16 Mar 2010 01:01:46 -0000	1.29.2.1
+++ WBEMConfigurationProperties.java	21 Aug 2013 10:14:35 -0000	1.29.2.2
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2006, 2010
+ * (C) Copyright IBM Corp. 2006, 2013
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -25,6 +25,7 @@
  * 2930341    2010-01-12  blaschke-oss Sync up WBEMClientConstants with JSR48 1.0.0
  * 2957387    2010-03-03  blaschke-oss EmbededObject XML attribute must not be all uppercases
  * 2970881    2010-03-15  blaschke-oss Add property to control EmbeddedObject case
+ *    2635    2013-05-16  blaschke-oss Slowloris DoS attack for CIM indication listener port
  */
 package org.sblim.cimclient;
 
@@ -594,6 +595,38 @@
 	public static final String LISTENER_HTTP_TIMEOUT = "sblim.wbem.listenerHttpTimeout";
 
 	/**
+	 * The header timeout for http connections of an indication listener. The
+	 * header timeout is defined as the maximum amount of time allowed to read
+	 * in the entire http header. A timeout of zero is interpreted as infinite
+	 * timeout.<br />
+	 * <br />
+	 * Note: One form of DoS attack sends periodic http header lines in an
+	 * attempt to keep the socket open indefinitely. This timeout can be used to
+	 * thwart such an attempt.<br />
+	 * <br />
+	 * Type: <code>Integer</code><br/>
+	 * Unit: <code>Milliseconds</code><br />
+	 * Recognition: <code>On next creation of a WBEMListener<code><br/>
+	 * Range: <code>0 .. Integer.MAX_VALUE</code><br />
+	 * Default: <code>30000</code><br/>
+	 */
+	public static final String LISTENER_HTTP_HEADER_TIMEOUT = "sblim.wbem.listenerHttpHeaderTimeout";
+
+	/**
+	 * The maximum allowable timeouts an http connection of an indication
+	 * listener can have before the client ignores it. In other words, the
+	 * number of times an IP exceeds sblim.wbem.listenerHttpTimeout and
+	 * sblim.wbem.listenerHttpHeaderTimeout before it is blocked. A value of
+	 * zero is interpreted as unlimited timeouts.<br />
+	 * <br />
+	 * Type: <code>Integer</code><br />
+	 * Recognition: <code>On next creation of a WBEMListener</code><br />
+	 * Range: <code>0 .. Integer.MAX_VALUE</code><br />
+	 * Default: <code>0</code><br />
+	 */
+	public static final String LISTENER_HTTP_MAX_ALLOWED_TIMEOUTS = "sblim.wbem.listenerHttpMaxAllowedTimeouts";
+
+	/**
 	 * The size of the thread pool for the connection handlers of the indicati
 	 * for http connections of an indication listener. This is the maximum
 	 * number of handler threads the pool might create on heavy load.<br />

Index: WBEMListenerSBLIM.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/WBEMListenerSBLIM.java,v
retrieving revision 1.11
retrieving revision 1.11.8.1
diff -u -d -r1.11 -r1.11.8.1
--- WBEMListenerSBLIM.java	28 Apr 2009 19:42:45 -0000	1.11
+++ WBEMListenerSBLIM.java	21 Aug 2013 10:14:35 -0000	1.11.8.1
@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2006, 2009
+ * (C) Copyright IBM Corp. 2006, 2013
  *
  * THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE 
  * ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE 
@@ -19,6 +19,7 @@
  * 2524131    2009-01-21  raman_arora  Upgrade client to JDK 1.5 (Phase 1)
  * 2531371    2009-02-10  raman_arora  Upgrade client to JDK 1.5 (Phase 2)
  * 2763216    2009-04-14  blaschke-oss Code cleanup: visible spelling/grammar errors
+ *    2635    2013-05-16  blaschke-oss Slowloris DoS attack for CIM indication listener port
  */
 
 package org.sblim.cimclient;
@@ -55,6 +56,8 @@
 
 		private IndicationListener iIndicationListener;
 
+		private HttpConnectionHandler iConnectionHandler;
+
 		private HttpServerConnection iConnection;
 
 		/**
@@ -79,12 +82,14 @@
 		 */
 		public WBEMListenerImpl(String pLocalAddress, int pPort, boolean pSSL,
 				IndicationListener pIndicationListener, Properties pProperties) throws IOException {
+			WBEMConfiguration config = pProperties != null ? new WBEMConfiguration(pProperties)
+					: WBEMConfiguration.getGlobalConfiguration();
 			iIndicationListener = pIndicationListener;
 			CIMEventDispatcher eventDispatcher = new CIMEventDispatcher(iIndicationListener);
 			CIMIndicationHandler indicationHandler = new CIMIndicationHandler(eventDispatcher);
-			iConnection = new HttpServerConnection(new HttpConnectionHandler(indicationHandler),
-					pLocalAddress, pPort, pSSL, pProperties != null ? new WBEMConfiguration(
-							pProperties) : WBEMConfiguration.getGlobalConfiguration());
+			this.iConnectionHandler = new HttpConnectionHandler(indicationHandler, config);
+			iConnection = new HttpServerConnection(this.iConnectionHandler, pLocalAddress, pPort,
+					pSSL, config);
 		}
 
 		@Override
@@ -124,6 +129,25 @@
 			return this.iConnection.getPort();
 		}
 
+		/**
+		 * Get the IPs blocked by the listener.
+		 * 
+		 * @return The comma-separated list of blocked IPs.
+		 */
+		public String getBlockedIPs() {
+			return this.iConnectionHandler.getBlockedIPs();
+		}
+
+		/**
+		 * Set the IPs to be blocked by the listener.
+		 * 
+		 * @param pIPs
+		 *            The comma-separated list of blocked IPs.
+		 */
+		public void setBlockedIPs(String pIPs) {
+			this.iConnectionHandler.setBlockedIPs(pIPs);
+		}
+
 	}
 
 	private final static WBEMListenerSBLIM INSTANCE = new WBEMListenerSBLIM();
@@ -208,10 +232,42 @@
 		return listener.getListenerPort();
 	}
 
+	/**
+	 * Get the IPs blocked by the listener associated with the specified port.
+	 * 
+	 * @param pPort
+	 *            The port.
+	 * @return The comma-separated list of blocked IPs.
+	 */
+	public String getBlockedIPs(int pPort) {
+		if (pPort <= 0 || !this.iPortMap.containsKey(Integer.valueOf(pPort))) { throw new IllegalArgumentException(
+				"Port not in use."); }
+		WBEMListenerImpl listener = this.iPortMap.get(Integer.valueOf(pPort));
+		return listener != null ? listener.getBlockedIPs() : null;
+	}
+
 	public synchronized void removeListener(int pPort) {
 		WBEMListenerImpl listener = this.iPortMap.remove(new Integer(pPort));
 		if (listener != null) {
 			listener.stop();
 		}
 	}
+
+	/**
+	 * Set the IPs to be blocked by the listener associated with the specified
+	 * port.
+	 * 
+	 * @param pPort
+	 *            The port.
+	 * @param pIPs
+	 *            The comma-separated list of blocked IPs.
+	 */
+	public void setBlockedIPs(int pPort, String pIPs) {
+		if (pPort <= 0 || !this.iPortMap.containsKey(Integer.valueOf(pPort))) { throw new IllegalArgumentException(
+				"Port not in use."); }
+		WBEMListenerImpl listener = this.iPortMap.get(Integer.valueOf(pPort));
+		if (listener != null) {
+			listener.setBlockedIPs(pIPs);
+		}
+	}
 }