Smack IQ not correctly implemented with null to field

Hi Flow,

Not sure if this is an issue but smack’s iq with no to field or bare jid it doesn’t expect a from filter . Ejabberd when given an iq with no to returns a response with barejid: jabberd:iq:roster.

Smack’s fromfilter - e4754/smack-core/src/main/java/org/jivesoftware/smack/filter/FromMatchesFilter.j ava- The address to filter for. If null is given, the stanza(/packet) must not have a from address.

RFC6120 -
When the server generates a stanza from the server for delivery to the client on behalf of the account of the connected client (e.g., in the context of data storage services provided by the
server on behalf of the client), the stanza MUST either (a) not include a ‘from’ attribute or (b) include a ‘from’ attribute whose value is the account’s bare JID (localpart@domainpart).


In IQReplyFilter

fromFilter = new OrFilter();
if (to == null) {
else if (to.equals(local.asBareJid())) {

to is null and therefore fromfilter first condition is null. In abstrctjid it’s giving null pointer since from field is present in iq result. It looks wrong to me.

A fix which is working with ejabberd - 9c03ca . Still need to fix unit test but it will be great if you can take a look at it. I will also test with openfire which doesn’t add a to field.

Could you show us the stacktrace of the NPE?

I have changed code to print stack trace

Oct 28, 2015 10:17:12 PM org.jivesoftware.smack.filter.IQReplyFilter accept

SEVERE: java.lang.NullPointerException


at org.jxmpp.jid.impl.AbstractJid.equals(

at org.jivesoftware.smack.filter.FromMatchesFilter.accept( 04)

at org.jivesoftware.smack.filter.OrFilter.accept(

at org.jivesoftware.smack.filter.IQReplyFilter.accept(

at org.jivesoftware.smack.AbstractXMPPConnection$ListenerWrapper.filterMatches(Abs

at org.jivesoftware.smack.AbstractXMPPConnection.invokePacketCollectorsAndNotifyRe cvListeners(

at org.jivesoftware.smack.AbstractXMPPConnection$ :1013)

at java.util.concurrent.Executors$


at java.util.concurrent.ThreadPoolExecutor.runWorker(

at java.util.concurrent.ThreadPoolExecutor$


// Second, check if the from attributes are correct and log potential IQ spoofing attempts
try {
if (fromFilter.accept(packet)) {
return true;
} else {
String msg = String.format("Rejected potentially spoofed reply to IQ-packet. Filter settings: "

  • “packetId=%s, to=%s, local=%s, server=%s. Received packet with from=%s”,
    packetId, to, local, server, packet.getFrom());
    LOGGER.log(Level.WARNING, msg , packet);
    return false;
    catch (Exception e) {
    LOGGER.log(Level.SEVERE, e.toString(), e);
    return false;

null.tostring is called when from field is present in iq result when iq input doesn’t have to. I just have change the order to prevent that NPE - Fixed code for iq · bangarharshit/Smack@6ca36e3 · GitHub Sorry for late reply.

I think the correct fix is 58

Thanks. That will fix it. I will patch it locally. Once new smack is released I will upgrade it. BTW are you planning release for smack (alpha or non alpha) soon I will then pick up from there itself.

Thanks to you for reporting

I think there will be another alpha of 4.2 within the next 4-8 weeks.