IBM Support

IC67589: WHEN THE CLIENT RESPONDS WITH A DATALENGTH VALUE WHICH IS UN- REALISTIC, THE SERVER ACCEPTS THIS VALUE WITHOUT VERIFICATION.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When a server side exit responds with a ExitResponse code of
    MQXCC_SEND_AND_REQUEST_SEC_MSG, the client is expected to
    respond with a security message. However, if the client responds
    with a non-security message, the server side code accepts this
    response while the correct behaviour is to report an error.
    
    Furthermore, when the client responds with an unrealistic value
    of DataLength, the server must terminate the channel instead of
    proceeding with the given DataLength.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of WebSphere MQ who make use of security exits .
    
    Platforms affected:
    All Distributed (iSeries, all Unix and Windows)
    ****************************************************************
    PROBLEM SUMMARY:
    The WebSphere MQ code did not have sufficient checks in place to
    ensure that a ExitResponse of MQXCC_SEND_AND_REQUEST_SEC_MSG
    from the server will result in a security message from the
    client.
    
    When the client responds with a DataLength value which is
    unrealistically large, the server accepts this value and later
    fails while attempting to use the memory allocated.
    

Problem conclusion

  • A check was introduced to ensure non-security responses from the
    client to a ExitResponse of MQXCC_SEND_AND_REQUEST_SEC_MSG are
    returned an error. An error code of rrcE_SECURITY_NOT_RECEIVED
    is generated in the WebSphere MQ error logs.
    
    Furthermore, if the value of DataLength is more than the maximum
    transmission size of the channel, the channel is terminated with
    a rrcE_PROTOCOL_ERROR.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v7.0
    Platform           Fix Pack 7.0.1.3
    --------           --------------------
    Windows            U200320
    AIX                U834987
    HP-UX (PA-RISC)    U834414
    HP-UX (Itanium)    U834413
    Solaris (SPARC)    U834986
    Solaris (x86-64)   U834210
    iSeries            tbc_p700_0_1_3
    Linux (x86)        U834415
    Linux (x86-64)     U834985
    Linux (zSeries)    U834412
    Linux (Power)      U835662
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available, information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC67589

  • Reported component name

    WMQ WINDOWS V7

  • Reported component ID

    5724H7220

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-04-01

  • Closed date

    2010-04-26

  • Last modified date

    2010-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ WINDOWS V7

  • Fixed component ID

    5724H7220

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCPQ63","label":"APAR \/ Maintenance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
26 April 2010