Fix DOS attack from malicious pongs

A double channel close panic was possible if a peer sent back multiple pongs for every ping. If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and so a panic would ensue. This fixes that by having the read goroutine send on the ping goroutine's channel rather than closing it. Reported via email by Tibor Kálmán @kalmant Please update to the new release ASAP!
nhooyr · Apr 7, 2021 · 129d303 · 129d303
1 parent e4c3b0f
commit 129d303
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/conn_notjs.go b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong

diff --git a/read.go b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}