Fix DOS attack from malicous pongs

nhooyr · nhooyr · commit de018ed24cc7 · 2021-04-07T09:31:44.000-06:00
A double channel close panic was possible if a peer sent back multiple
pongs for every ping.

If the second pong arrived before the ping goroutine deleted its channel
from the map, the channel would be closed twice and so a panic would
ensue.

This fixes that by having the read goroutine send on the ping
goroutine's channel rather than closing it.

Reported via email by Tibor Kálmán &lt;kalmantibor2@gmail.com&gt;

Please update to the new release ASAP!
diff --git a/conn_notjs.go b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong
diff --git a/read.go b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`func (c *Conn) ping(ctx context.Context, p string) error {`
`192`		`- pong := make(chan struct{})`
	`192`	`+ pong := make(chan struct{}, 1)`
`193`	`193`
`194`	`194`	`c.activePingsMu.Lock()`
`195`	`195`	`c.activePings[p] = pong`
Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {`
`271`	`271`	`pong, ok := c.activePings[string(b)]`
`272`	`272`	`c.activePingsMu.Unlock()`
`273`	`273`	`if ok {`
`274`		`- close(pong)`
	`274`	`+ select {`
	`275`	`+ case pong <- struct{}{}:`
	`276`	`+ default:`
	`277`	`+ }`
`275`	`278`	`}`
`276`	`279`	`return nil`
`277`	`280`	`}`