###Describe the bug
I found some code paths where errors are not properly handled. They all have the possibility of crashing the client's socket.io process.
summary
- overflowing binary attachment count
socket.io-client-java accepts a Socket.IO binary event whose attachment-count prefix is larger than Java's int range, then lets the resulting NumberFormatException escape the parser boundary. A remote Socket.IO peer that can send post-connect Engine.IO data to a client using the default parser can interrupt the client's data callback instead of having the malformed packet normalized to DecodingException and contained.
- empty packet payload
socket.io-client-java can throw an unchecked StringIndexOutOfBoundsException while decoding an empty Socket.IO packet string from a connected server. In IOParser.decodeString(), Manager only catches DecodingException at the decode boundary, so wrong peer data can interrupt the client's event/data handling path instead of being normalized as a decode error.
- unexpected binary frame
socket.io-client-java lets an unexpected binary Engine.IO data frame throw a plain RuntimeException out of the Socket.IO decode path. A binary frame sent before any Socket.IO binary packet header initializes reconstruction reaches src/main/java/io/socket/parser/IOParser.java:111 while Manager catches only DecodingException; that input can disrupt the client connection/event-processing path.
poc
poc.zip
each can be reproduced by running a single script.
Expected output:
- overflowing binary attachment count
TRIGGERED_SOCKETIO_JAVA_ATTACHMENT_COUNT_NUMBER_FORMAT_EXCEPTION
- empty packet payload
run 1: exit=0 timed_out=False duration=0.06s matched=True phase=oracle fingerprint='TRIGGERED_SOCKETIO_JAVA_EMPTY_PACKET_STRING_INDEX_EXCEPTION'
run 2: exit=0 timed_out=False duration=0.06s matched=True phase=oracle fingerprint='TRIGGERED_SOCKETIO_JAVA_EMPTY_PACKET_STRING_INDEX_EXCEPTION'
run 3: exit=0 timed_out=False duration=0.07s matched=True phase=oracle fingerprint='TRIGGERED_SOCKETIO_JAVA_EMPTY_PACKET_STRING_INDEX_EXCEPTION'
- unexpected binary frame
TRIGGERED_SOCKETIO_JAVA_ATTACHMENT_COUNT_NUMBER_FORMAT_EXCEPTION
###Describe the bug
I found some code paths where errors are not properly handled. They all have the possibility of crashing the client's socket.io process.
summary
socket.io-client-java accepts a Socket.IO binary event whose attachment-count prefix is larger than Java's
intrange, then lets the resultingNumberFormatExceptionescape the parser boundary. A remote Socket.IO peer that can send post-connect Engine.IO data to a client using the default parser can interrupt the client's data callback instead of having the malformed packet normalized toDecodingExceptionand contained.socket.io-client-java can throw an unchecked
StringIndexOutOfBoundsExceptionwhile decoding an empty Socket.IO packet string from a connected server. InIOParser.decodeString(),Manageronly catchesDecodingExceptionat the decode boundary, so wrong peer data can interrupt the client's event/data handling path instead of being normalized as a decode error.socket.io-client-java lets an unexpected binary Engine.IO data frame throw a plain RuntimeException out of the Socket.IO decode path. A binary frame sent before any Socket.IO binary packet header initializes reconstruction reaches
src/main/java/io/socket/parser/IOParser.java:111while Manager catches only DecodingException; that input can disrupt the client connection/event-processing path.poc
poc.zip
each can be reproduced by running a single script.
Expected output: