Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Input parser strictness for control frames and DoS #150

Closed
lpeterse opened this issue Jun 28, 2017 · 0 comments
Closed

Input parser strictness for control frames and DoS #150

lpeterse opened this issue Jun 28, 2017 · 0 comments

Comments

@lpeterse
Copy link
Contributor

lpeterse commented Jun 28, 2017
edited
Loading

I'm currently trying to find a solution for the issues #60 and #149. They are more serious than one might expect: Whenever a server blocks on receive a client can send an arbitrary large message and easily exhaust the servers memory.

While reviewing the code I noticed that RFC 6455 (section 5.5) mandates that control frames are never fragmented and their payload does not exceed 125 bytes. I found that this is not enforced by the current implementation allowing an attacker to even bring down a server with a PING or CLOSE frame.

I prepared a PR enforcing these properties in the decoder.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jaspervdj @lpeterse