Commit 129d303

committed

Fix DOS attack from malicious pongs

A double channel close panic was possible if a peer sent back multiple pongs for every ping. If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and so a panic would ensue. This fixes that by having the read goroutine send on the ping goroutine's channel rather than closing it. Reported via email by Tibor Kálmán @kalmant Please update to the new release ASAP!

1 parent e4c3b0f commit 129d303Copy full SHA for 129d303

File tree

2 files changed

-2

lines changed

conn_notjs.go
read.go

2 files changed

-2

lines changed

`‎conn_notjs.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`func (c *Conn) ping(ctx context.Context, p string) error {`
`192`		`- pong := make(chan struct{})`
	`192`	`+ pong := make(chan struct{}, 1)`
`193`	`193`
`194`	`194`	`c.activePingsMu.Lock()`
`195`	`195`	`c.activePings[p] = pong`

`‎read.go`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {`
`271`	`271`	`pong, ok := c.activePings[string(b)]`
`272`	`272`	`c.activePingsMu.Unlock()`
`273`	`273`	`if ok {`
`274`		`- close(pong)`
	`274`	`+ select {`
	`275`	`+ case pong <- struct{}{}:`
	`276`	`+ default:`
	`277`	`+ }`
`275`	`278`	`}`
`276`	`279`	`return nil`
`277`	`280`	`}`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit 129d303

File tree

2 files changed

2 files changed

`‎conn_notjs.go`

`‎read.go`

0 commit comments