From cfb3e7dedd0ca2546a0092b770645bf9421fb882 Mon Sep 17 00:00:00 2001 From: Dave Cridland Date: Thu, 16 Aug 2018 16:24:46 +0100 Subject: [PATCH] OF-1590 Validate h against resumed session The `` element sent by the client during a XEP-0198 session resumption contains an `h` attribute which is validated to ensure it has not acknowledged more stanzas than were actually sent. However, we were validating that against the current session, whose counters would be disabled, and therefore left at zero. This simply checks them against the correct session instead - the `otherSession` which is to be resumed. --- .../jivesoftware/openfire/streammanagement/StreamManager.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/java/org/jivesoftware/openfire/streammanagement/StreamManager.java b/src/java/org/jivesoftware/openfire/streammanagement/StreamManager.java index a0d0d214ba..acc0f4aaed 100644 --- a/src/java/org/jivesoftware/openfire/streammanagement/StreamManager.java +++ b/src/java/org/jivesoftware/openfire/streammanagement/StreamManager.java @@ -274,7 +274,7 @@ private void startResume(String namespace, String previd, long h) { sendError(new PacketError(PacketError.Condition.unexpected_request)); return; } - if (!validateClientAcknowledgement(h)) { + if (!otherSession.getStreamManager().validateClientAcknowledgement(h)) { Log.debug("Not allowing a client to resume a session, as it reports it received more stanzas from us than that we've send it." ); sendError(new PacketError(PacketError.Condition.unexpected_request)); return;