apache / dubbo-go

Go Implementation For Apache Dubbo .
https://dubbo.apache.org/
Apache License 2.0
4.71k stars 925 forks source link

Bug: HessianCodec failed to check package header length #380

Closed witkeysa closed 4 years ago

witkeysa commented 4 years ago
func (h *HessianCodec) ReadHeader(header *DubboHeader) error {
var err error
if h.reader.Size() < HEADER_LENGTH {
    return ErrHeaderNotEnough
}
buf, err := h.reader.Peek(HEADER_LENGTH)
if err != nil { // this is impossible
    return perrors.WithStack(err)
}
...

这一段会检查长度是否大于包头长度。由下面这段调用。

// Unmarshal ...
func (p *DubboPackage) Unmarshal(buf *bytes.Buffer, opts ...interface{}) error {
codec := hessian.NewHessianCodec(bufio.NewReaderSize(buf, buf.Len()))

// read header
err := codec.ReadHeader(&p.Header)

但是在bufio.NewReaderSize(buf, buf.Len())中

func NewReaderSize(rd io.Reader, size int) *Reader {
// Is it already a Reader?
b, ok := rd.(*Reader)
if ok && len(b.buf) >= size {
return b
}
if size < minReadBufferSize {
size = minReadBufferSize
}
r := new(Reader)
r.reset(make([]byte, size), rd)
return r
}

这里创建出的reader长度永远大于16.导致包头分包时,解包异常。

AlexStocks commented 4 years ago

@witkeysa maybe u should submit this issue to dubbo-go-hessian2?

witkeysa commented 4 years ago

@witkeysa maybe u should submit this issue to dubbo-go-hessian2?

ok,thanks

AlexStocks commented 4 years ago

@witkeysa I have fix this issue in https://github.com/apache/dubbo-go/pull/381 and this pr will be merged into develop branch later. pls check this branch and make sure this bug is fixed. If not, pls tell me again here.