XMPP Service Operators - 2021-05-23

  1. moparisthebest

    tom, and anyone else interested, the prosody memory exhaustion DOS explanation+code as promised https://www.moparisthebest.com/eatxmempp-cve-2021-32918/

  2. qrpnxz

    lol i can't believe this is the bug, it's so obvious

  3. moparisthebest

    all bugs are in hindsight, mostly anyway :)

  4. qrpnxz

    I cannot even begin to conceive accepting messages without a bandwidth and size limit. I'll note however that, unfortunately, it's not common to see parsers that let you configure these things.

  5. qrpnxz

    Thankfully XML, and in particular the restricted subset of XML used in XMPP, is pretty easy to parse.

  6. moparisthebest

    well and importantly, prosody had one, but the GC didn't care and couldn't handle it

  7. qrpnxz

    the article said it got added just in 0.11.7, that might be a long time ago, but seems to be quite late in the game

  8. moparisthebest

    maybe the most interesting part is everything was fine with Lua 5.1 and 5.4, just not the middle versions :)

  9. qrpnxz

    understandable nothing was done with 5.1 then

  10. moparisthebest

    for me, I plan on my rust thing being the only thing that touches the network from now on

  11. qrpnxz

    if this was tested at that time

  12. moparisthebest

    bonus is rustls instead of openssl

  13. qrpnxz

    the proxy thing? looks interesting

  14. moparisthebest

    yea xmpp-proxy

  15. moparisthebest

    what language are you writing your server in?

  16. qrpnxz


  17. moparisthebest

    ah, so you have to battle a garbage collector too then? point eatxmempp at it and see what happens, I'm curious

  18. qrpnxz

    I'm not sure i'll have to finish more of it and put it in load to see, but i can't think of anything in particular that would create runaway memory

  19. moparisthebest

    that sounds like famous last words :)

  20. qrpnxz


  21. moparisthebest

    idk just does, the garbage collector can be a fickle mistress

  22. tom

    moparisthebest: thanks

  23. Licaon_Kter

    moparisthebest: > I recall contacting openfire, tigase, and m-link devs, and *an ejabberd user*, all of which I sent my test program and all reported no problems on their end. This is THAT old thing you wanted me to test?

  24. Licaon_Kter

    But that's like >1 year old...

  25. Licaon_Kter

    moparisthebest: your fedi post lacks the hashtags to make visible, is that on purpose? No #xmpp no #prosody etc

  26. moparisthebest

    Licaon_Kter: ha yep, want me to put your name in there? Also apparently I don't know how to toot :)

  27. Licaon_Kter

    No, I didn't do anything worthy