Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
websocket: Limit maximum uncompressed frame length to 8MiB
This fixes a memory exhaustion DOS attack vector. References: GHSA-9p9m-jm8w-94p2 GHSA-9p9m-jm8w-94p2
- Loading branch information
Showing
2 changed files
with
86 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1412f5e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@onnokort, @temoto: GHSA-9p9m-jm8w-94p2 claims that affected versions are >= 0.10.0, but the per message-defalte extension or compression extension
was added by b7d2a25 which would be later than 0.10.0. Is this assessment correct? Or ist the issue still present before starting from versions 0.10.0?
1412f5e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There were two issues that are fixed by this commit. One is the compression data explosion and the other is that there was no length check being performed on the websocket frames, which can be up to 2^64-1 in size (payload) IIRC.
This latter issue might exist in previous versions that have no compression support, but I haven't checked. It would not be as easily exploitable as the compression problem, however it would still allow a remote host to overflow the server's memory by sending a huge websocket frame.
1412f5e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@onnokort thanks for the quick confirmation!