RFR(M): JDK-8061228 Allow JDWP socket connector to accept connections from certain ip addresses only

Dmitry Samersoff dmitry.samersoff at oracle.com
Mon Mar 13 19:07:50 UTC 2017 

Robbin,

Please, see:

http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.11

> 1:
> So connecting with an unallowed client terminates the VM.

Fixed.

> 2:
> Starting with an bad allow filter terminates the VM when connecting a
> client.

Moved allowed parameter (and parser call) to StartListening.

-Dmitry


On 2017-03-10 15:56, Robbin Ehn wrote:
> Hi Dmitry,
> 
> I took a look at this, I have two practical issues:
> 
> 1:
> [rehn at rehn-ws dev]$ java
> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.6.6.6
> -cp runs ForEver
> Listening for transport dt_socket at address: 9999
> ERROR: transport error 202: peer not allowed to connect: Success
> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
> error [transport.c:358]
> 
> So connecting with an unallowed client terminates the VM.
> 
> 2:
> [rehn at rehn-ws dev]$ java
> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9999,allow=6.BAD.6.6
> -cp runs ForEver
> Listening for transport dt_socket at address: 9999
> ERROR: transport error 202: unable to parse list of allowed peers: Success
> JDWP exit error JVMTI_ERROR_NONE(0): could not connect, timeout or fatal
> error [transport.c:358]
> 
> Starting with an bad allow filter terminates the VM when connecting a
> client.
> 
> 
> Connecting with an unallowed ip/port should not terminate the VM and we
> should verify allow filter directly at startup.
> 
> Thanks
> 
> /Robbin
> 
> On 02/28/2017 10:41 AM, Dmitry Samersoff wrote:
>> Everybody,
>>
>> Please review:
>>
>> http://cr.openjdk.java.net/~dsamersoff/JDK-8061228/webrev.10/
>>
>> These changes introduce new parameter[1] of the socket transport -
>> allow. Users can explicitly specify a list of hosts that allowed to
>> connect to jdwp server and it's the second part of JDWP hardening[2].
>>
>> No restrictions are applied by default now but I'll file a separate CR
>> to restrict list of allowed peers to localhost by default.
>>
>> Also these changes implement versioning for jdwp transport and therefor
>> simplify feature development of jdwp.
>>
>>
>> 1. Example command line:
>>
>> -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,
>> address=*,allow="127.0.0.0/8;192.168.0.0/24"
>>
>> Possible values for allow parameter:
>>   *           - accept connections from everywhere.
>>   N.N.N.N     - accept connections from this IP address only
>>   N.N.N.N/nn  - accept connections from particular ip subnet
>>
>>
>>
>> 2. JDK-8052136 JDWP hardening
>>
>> -Dmitry
>>


-- 
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.

More information about the serviceability-dev mailing list