[ejabberd] max_stanza_size not working in mod_http_bind?

Badlop badlop at gmail.com
Wed Apr 29 03:18:45 MSD 2009


2009/4/14 Xia Qingran <qingran.xia at gmail.com>:
> found that the max_stanza_limit of c2s is not working because I can
> send even 5 times bigger length of message. I only take use of this to
> protect my ejabberd server against bad guys sending long and useless
> message.
>
> I took use of a simple python script to send message with assigned
> character numbe and all the sent messages are received by target user:
>
> import xmpp
> login = 'testtest8'
> pwd   = 'password'
> cnx = xmpp.Client('mydomain.org')
> cnx.connect(('127.0.0.1', 5222))
> cnx.auth(login, pwd, 'TEST')
> a = '1'
> cnx.send( xmpp.Message( "testtest1 at mydomain.org" ,a.zfill(4000) ) )
> cnx.disconnect()
>
>
> With Pidgin 2.5.2 and Gajim 0.12.1, I can also sent a message with
> about 5 times bigger than max_stanza_size.
>
> I installed ejabberd-2.0.5 with linux x86 32-bits installer and run it
> on ubuntu-8.10-i386 by my laptop.


I tried more, and in some cases I experience the problem you mention.

Can you try this proposed patch?
  https://support.process-one.net/browse/EJAB-928
  Change direction of rounding when calculating size in xml_stream

I tried it with Tkabber and your Python script, and it detects small
stanzas when max_stanza_size is configured with a small value.

I didn't try with http-bind connection.

If you try it, please comment if it works better now.


> I installed ejabberd-2.0.5 with linux x86 32-bits installer and run it
> on ubuntu-8.10-i386 by my laptop.

These are the steps that you can follow to try the proposed patch:

1. download:
wget http://svn.process-one.net/ejabberd/tags/ejabberd-2.0.5/src/xml_stream.erl
wget https://support.process-one.net/secure/attachment/14196/928-acc-size.diff

2. apply the patch:
patch -p2<928-acc-size.diff

3. compile:
$HOME/ejabberd-2.0.5/bin/erlc xml_stream.erl

4. install the modified file::
cp xml_stream.beam $HOME/ejabberd-2.0.5/lib/ejabberd-2.0.5/ebin

5. restart ejabberd


---
Badlop
ProcessOne


More information about the ejabberd mailing list