Skip to content

fix(logstash source): close the connection on a malformed frame#25664

Merged
bruceg merged 1 commit into
masterfrom
bruceg/logstash-decode-error-fatal
Jun 23, 2026
Merged

fix(logstash source): close the connection on a malformed frame#25664
bruceg merged 1 commit into
masterfrom
bruceg/logstash-decode-error-fatal

Conversation

@bruceg

@bruceg bruceg commented Jun 22, 2026

Copy link
Copy Markdown
Member

Summary

A failed JSON decode or decompression was marked continuable (can_continue() == true), but the Lumberjack stream is length-prefixed binary with no resync marker. Continuing left the decoder desynchronized yet running: the uncompressed-JSON path never consumes the bad bytes (a CPU busy-loop) and the compressed path advances but keeps stale state, misframing subsequent bytes and emitting ACKs for bogus sequence numbers — surfacing as invalid sequence number received on the client.

Treat every decode error as fatal (can_continue() == false) so the connection closes and the client reconnects (fresh decoder) and retransmits the unacknowledged window. This matches the upstream logstash-input-beats server, which closes the channel on any decode exception, and is at-least-once and safe.

Adds decoder-level tests that malformed JSON and bad compression are fatal, and a socket-level test that a malformed frame closes the connection without sending an ACK. Also adds the missing authors line to the prior changelog fragment.

This was originally part of #25655 but I've broken it out here to simplify reviewing.

Vector configuration

How did you test this PR?

Unit tests are included

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

Related: #25655

Notes

  • Please read our Vector contributor resources.
  • Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
  • Some CI checks run only after we manually approve them.
    • We recommend adding a pre-push hook, please see this template.
    • Alternatively, we recommend running the following locally before pushing to the remote branch:
      • make fmt
      • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
      • make test
  • After a review is requested, please avoid force pushes to help us review incrementally.
    • Feel free to push as many commits as you want. They will be squashed into one before merging.
    • For example, you can run git merge origin master and git push.
  • If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
    run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

@graphcareful @bruceg
fix(logstash source): close the connection on a malformed frame
96ea502 
A failed JSON decode or decompression was marked continuable
(`can_continue() == true`), but the Lumberjack stream is length-prefixed
binary with no resync marker. Continuing left the decoder desynchronized yet
running: the uncompressed-JSON path never consumes the bad bytes (a CPU
busy-loop) and the compressed path advances but keeps stale state, misframing
subsequent bytes and emitting ACKs for bogus sequence numbers — surfacing as
`invalid sequence number received` on the client.

Treat every decode error as fatal (`can_continue() == false`) so the
connection closes and the client reconnects (fresh decoder) and retransmits
the unacknowledged window. This matches the upstream `logstash-input-beats`
server, which closes the channel on any decode exception, and is at-least-once
and safe.

Adds decoder-level tests that malformed JSON and bad compression are fatal,
and a socket-level test that a malformed frame closes the connection without
sending an ACK. Also adds the missing authors line to the prior changelog
fragment.
@bruceg bruceg requested a review from graphcareful June 22, 2026 17:24
@bruceg bruceg requested a review from a team as a code owner June 22, 2026 17:24
@bruceg bruceg added the source: logstash Anything `logstash` source related label Jun 22, 2026
@github-actions github-actions Bot added the domain: sources Anything related to the Vector's sources label Jun 22, 2026
@bruceg bruceg added this pull request to the merge queue Jun 23, 2026
Merged via the queue into master with commit 2567199 Jun 23, 2026
108 checks passed
@bruceg bruceg deleted the bruceg/logstash-decode-error-fatal branch June 23, 2026 15:31
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 23, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@pront pront pront approved these changes

@graphcareful graphcareful graphcareful approved these changes

Assignees

No one assigned

Labels

domain: sources Anything related to the Vector's sources source: logstash Anything `logstash` source related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bruceg @pront @graphcareful