Stream read error: Invalid string length "xxxx"

Owen · September 23, 2019, 11:09am

One of our customers has reported that they are unable to use our client discover RemObjects servers and as we’ve been unable to reproduce the issue they have provided us with actual machine having the issue.

All products involved (clients and servers) are using RemObjects SDK version 9.0.97.1245 and have been built under Delphi 10.1 Berlin under Windows 10. They are variously running on uo-to-date Windows 10 Enterprise and Windows 10 Professional.

The non-functional client is a Chinese edition of Windows, all others are the EN-GB edition. At the moment this is the only obvious difference between the setups.

On startup, the client attempts to discover available servers. With the same executable, every machine except for the one provided by our customer receives the expected response from a number of servers. The customer’s machine receives an error message indicating that the message could not be read due to an invalid stream length.

I’ve tracked the error down to the “discovery” message the client sends on startup. It is incorrectly formatted on the customer’s machine. Below are two Wireshark traces. The first is the transmitted request, the second is the response.

0000   ff ff ff ff ff ff e4 54 e8 a3 d4 25 08 00 45 00  .......T...%..E.
0010   00 77 46 9b 00 00 80 11 29 37 0a 0c c0 98 ff ff  .wF.....)7......
0020   ff ff fb bd 1f a3 00 63 23 80 7b 41 42 41 44 45  .......c#.{ABADE
0030   34 42 32 2d 42 38 46 45 2d 34 33 42 45 2d 39 39  4B2-B8FE-43BE-99
0040   45 45 2d 36 42 34 30 34 37 32 38 33 44 38 39 7d  EE-6B4047283D89}
0050   52 4f 31 30 37 00 00 00 00 00 00 00 14 3f 3f 3f  RO107........???
0060   4d 3f 3f 49 1f 3f 0a 00 00 00 54 53 4d 53 65 72  M??I.?....TSMSer
0070   76 69 63 65 0d 00 00 00 54 53 4d 47 65 74 53 75  vice....TSMGetSu
0080   6d 6d 61 72 79                                   mmary

0000   e4 54 e8 a3 d4 25 4c cc 6a 2c 91 fb 08 00 45 00  .T...%L.j,....E.
0010   00 a7 14 16 00 00 80 11 90 fd 0a 0c c0 82 0a 0c  ................
0020   c0 98 1f a3 fb bd 00 93 50 87 7b 41 42 41 44 45  ........P.{ABADE
0030   34 42 32 2d 42 38 46 45 2d 34 33 42 45 2d 39 39  4B2-B8FE-43BE-99
0040   45 45 2d 36 42 34 30 34 37 32 38 33 44 38 39 7d  EE-6B4047283D89}
0050   52 4f 31 30 37 00 01 00 00 00 00 00 14 3f 3f 3f  RO107........???
0060   4d 3f 3f 49 1f 3f 0a 00 00 00 54 53 0c 00 00 00  M??I.?....TS....
0070   45 52 4f 45 78 63 65 70 74 69 6f 6e 35 00 00 00  EROException5...
0080   53 74 72 65 61 6d 20 72 65 61 64 20 65 72 72 6f  Stream read erro
0090   72 3a 20 49 6e 76 61 6c 69 64 20 73 74 72 69 6e  r: Invalid strin
00a0   67 20 6c 65 6e 67 74 68 20 22 31 39 31 39 32 34  g length "191924
00b0   33 30 38 35 22                                   3085"

The string length in question is 1919243085 (Hex 0x7265534D) which you can see in the first message, listed in network byte order at offset 0x006C. Clearly the four bytes which are supposed to be the message length are at offset 0x0066 (Hex 0x0000000A).

Looking through the binary message format t appears that offet 0x0050 is where the header begins. This reads “R0107” followed by a number of flags and message type bytes, followed by a GUID, broken down into its 16 bytes. In the message sent, it appears that the last six bytes of the GUID have been overwritten with the message data which ought to have followed at 0x006C.

Indeed, you can see in the reply that the GUID has been copied and includes the four bytes of the length and the first two bytes of the message string!

What in the world is happening to cause these differences in behaviour? This product has been in use for a decade and we’ve never seen anything like this.

Additional question too: I’ve stepped through the creation of the GUID which begins at 0x005C. It was a very normal looking random number which I’ve tracked through to its being added to the outgoing message buffer. However, every trace I’ve taken while investigating this issue has shown me a GUID with lots of instances of 0x3F as bytes. What’s causing this? It happens on the machines that are working and the one which isn’t, so I don’t think it’s the cause - could it be a symptom though?

Thanks in advance for any pointers anyone has!

Owen · September 23, 2019, 11:12am

A maybe-interesting addition to the behaviour we’ve seen: The client message above is 6 bytes short but I’ve seen messages which are variously between 6 and 1 bytes short and even a few which have been 0 bytes short (and have worked, eliciting the correct response).

EvgenyK · September 23, 2019, 11:54am

Hi,

can you create a simple testcase that reproduces this case, pls?
I’d like to reproduce this case locally

you can send it to support@ if you want to keep it privately.

Owen · September 23, 2019, 1:32pm

No objection to it being public; this is a minimal example built from scratch. The issue appears exactly as before with this new client and new server.

I’ve attached it here as a .zip.

ROTest.zip (37.4 KB)

EvgenyK · September 23, 2019, 1:40pm

Hi,

how I can reproduce issue? can you specify any additional actions?

Owen · September 23, 2019, 1:57pm

I’m not sure of the cause, but what we see is:

Run the server on any machine.
Run the client on any machine running Windows 10 EN-GB.
This works as expected.

Run the server on any machine.
Run the client on a machine running Windows 10 in Chinese.
Some messages work as expected.
Most messages are rejected.

EvgenyK · September 23, 2019, 2:00pm

probably error with UTF8 transforming. try to change ServerName: ROUTF8String with UnicodeString (WideString in RODL).
will this issue be reproduced?

Owen · September 24, 2019, 8:09am

The error persists with ROUTF8String, UnicodeString and ANSIString.

I’ve just tried all three and get identical results. In all three cases, the messages sent by the Chinese client are two bytes shorter than those sent by the EN-GB clients. The Chinese client messages are 138 bytes while the EN-GB client messages are 140.

WireShark traces of example UDP messages are included below. The format differs from around offset 0x006C.

You can see in both cases 0b 00 00 00 but in the EN-GB client message it starts at 0x006A while in the Chinese client message it starts at 0x006C. This should indicate the string length of the string to follow: “TestService”, which is indeed 11 bytes in UTF-8.

In both cases, the Client GUID (bytes 0x005C through 0x006B in the EN-GB message) has been altered to contain a lot of instances of 3F too. Not sure if this is related.

EN-GB Client Message (140 Bytes)

  0000   ff ff ff ff ff ff 00 0c 29 60 f3 52 08 00 45 00  ........)`.R..E.
  0010   00 7e 32 cd 00 00 80 11 3c dc 0a 0c c0 ba ff ff  .~2.....<.......
  0020   ff ff cf 17 1f 9a 00 6a 83 18 7b 45 43 43 33 46  .......j..{ECC3F
  0030   45 45 46 2d 44 42 44 35 2d 34 31 30 33 2d 39 34  EEF-DBD5-4103-94
  0040   36 32 2d 30 41 44 35 41 43 31 46 45 42 31 31 7d  62-0AD5AC1FEB11}
  0050   52 4f 31 30 37 00 00 00 00 00 00 00 3f 3f 2f 3f  RO107.......??/?
  0060   3f 07 0e 48 3f 02 3f 16 3f 4b 3f 3f 0b 00 00 00  ?..H?.?.?K??....
  0070   54 65 73 74 53 65 72 76 69 63 65 0d 00 00 00 47  TestService....G
  0080   65 74 53 65 72 76 65 72 49 6e 66 6f              etServerInfo

Chinese Client Message (138 Bytes)

0000   ff ff ff ff ff ff e4 54 e8 a3 d4 25 08 00 45 00  .......T...%..E.
0010   00 7c 7b 07 00 00 80 11 f4 c5 0a 0c c0 98 ff ff  .|{.............
0020   ff ff ce f8 1f 9a 00 68 5e f0 7b 31 43 34 46 35  .......h^.{1C4F5
0030   34 35 34 2d 45 46 36 35 2d 34 38 39 33 2d 39 35  454-EF65-4893-95
0040   42 46 2d 36 41 39 39 33 32 30 37 39 32 31 33 7d  BF-6A9932079213}
0050   52 4f 31 30 37 00 00 00 00 00 00 00 3f 60 3f 3f  RO107.......?`??
0060   3f 7e 45 3f 78 3f 56 44 3f 3f 0b 00 00 00 54 65  ?~E?x?VD??....Te
0070   73 74 53 65 72 76 69 63 65 0d 00 00 00 47 65 74  stService....Get
0080   53 65 72 76 65 72 49 6e 66 6f                    ServerInfo

EvgenyK · September 24, 2019, 11:31am

Hi,

what client channel you use? Indy based?
can you test this case with another similar channel channel, pls?

Owen · September 25, 2019, 5:37am

This is using the TROBroadcastChannel component I’m not sure what other channel would accomplish the same effect. Server addresses are not known to the client.

EvgenyK · September 25, 2019, 12:51pm

it seems that this or similar issue has been already fixed 3 years ago…
can you retest this issue with RO 9.1+? RO trial can be used for testing too.

Owen · September 25, 2019, 1:11pm

We have found something similar. I rebuilt the test project under the latest release and the issue is not seen. I’ve therefore begun the process of updating our client (the one for which the fault was reported) to use that new release; hopefully the fact that it is only an interface change will mean that older servers will still be accessible with the updated client (all signs point that way at the moment).

Can you point me to where this issue was reported? I did not find anything when I searched the forum. If it is publicly available information, can I please see the report and notes on the changes made to resolve the issue? If necessary I will make the same (or similar) changes in our RemObjects SDK installations; an in-house-patched version may prevent the need to update to version 10.

EvgenyK · September 25, 2019, 1:33pm

this issue should be fixed in 9.2. so it can be minor update from 9.0.

it was 77192: ROD/DAD: get rid of legacy strings (ansi/utf8strings), when we performed removing of legacy strings in favor of NEXTGEN compiler and replaced them with TBytes/String.

as a result, some unexpected failures, like this issue, were fixed.

Owen · September 30, 2019, 11:03am

I’ve moved the entire project on to the latest release (July) of the RemObjects SDK and this has resolved the issue. Many thanks for the assistance.