I'm looking at the shutdown command wait code, and I'm a bit perplexed at one piece.
Could someone explain to me how the following code from StandardServer, starting from line 526 (v5.0.27), helps protect from a Dos attack? Why not simply limit the incoming stream to 1024, and be done with it?
There is some crazy random Star Trek code in here. Please learn me.
Bah! TC listens on 127.0.0.1:(normaly: 8005). If someone is doing a DoS attack on localhost then he is logged in my machine. Use "<Server port="0" shutdown="SHUTDOWN" debug="0"> in server.xml if you think your machine is unsafe.
Lukas
// Read a set of characters from the socket
StringBuffer command = new StringBuffer();
int expected = 1024; // Cut off to avoid DoS attack
while (expected < shutdown.length()) {
if (random == null)
random = new Random(System.currentTimeMillis());
expected += (random.nextInt() % 1024);
}
while (expected > 0) {
int ch = -1;
try {
ch = stream.read();
} catch (IOException e) {
System.err.println("StandardServer.await: read: " + e);
e.printStackTrace();
ch = -1;
}
if (ch < 32) // Control character or EOF terminates loop
break;
command.append((char) ch);
expected--;
}
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
