Version 6.5.9 of The Server Framework was released today.
This release contains one bug fix for write sequencing bug which has been present in The Server Framework since at least release 5.0 but which, thankfully, is very unlikely to occur. It also contains a bug fix for the TCP flow control filter, some bug fixes for the WebSocket code, hardening of the WebSocket code to help it resist denial of service attacks and a small amount of new functionality in several other libraries.
If you use the flow control filter, WebSockets, or have multiple threads writing to a single socket without using your own locks then you need this release.
This release includes the following, see the release notes, here, for full details of all changes.
- Bug fix to
CFlowControlStreamSocketConnectionFilterto prevent too many references to the socket being held when flow control is in operation. We now guarantee that we only hold a single reference whilst we have items in the flow control queue and (more importantly) we always release this single reference once there are no items in the queue. Previously we could leak socket references and prevent normal socket closure.
- Bug fix to sequence writes, this time in
CSequencedStreamSocket::SequenceData. We now, correctly, use
InterlockedIncrement()to increment the sequence number. Previously the code assumed that the socket was locked when sequence numbers were incremented and this is not always the case for single writes from multiple threads onto a single socket.
- Fixed a bug in the accumulation of Hixie 76 messages.
- Fixed a bug in the sending of messages larger than buffer size with HyBi.
- Fixed a bug in
CAutoDetectProtocolHandlerwhich prevented connections being denied by the caller’s
- Added an overload to
HyBi::CProtocolHandler::Connect()which allows you to specify sub protocols.
- We now validate that clients do not send additional data before they receive a handshake response in
- Added limits to
WebSocket::HandshakeParserto prevent denial of service attacks. The maximum number of headers in a request is now limited to 100 and the maximum length of a header is now 8190 bytes. These limits are the same as those present in Apache 2.3.
- Added validation of HyBi secuirty information - we decode the Base64 encoded key and ensure that it’s clear text is 16 bytes long.
- Added compile time configuration to allow for non conforming Hixie76 clients to connect. If you define
Config.hthen we allow an invalid number of spaces in the Hixie76 security info. Currently WebSocket4Net generates its keys incorrectly, see http://websocket4net.codeplex.com/workitem/16
- Added tighter validation of WebSocket request method parsing to prevent denial of service attacks.
CReadTimeoutStreamSocketConnectionFilter::SetDisconnectTimeout()which allows you to set a final “disconnect” timeout that can be used to force a connection closure after a predetermined time after a client has closed the connection and there are no reads pending.