Fix DOS attack from malicious pongs

nhooyr · nhooyr · commit 129d3035f688 · 2021-04-07T09:53:51.000-06:00
A double channel close panic was possible if a peer sent back multiple pongs for every ping. If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and so a panic would ensue. This fixes that by having the read goroutine send on the ping goroutine's channel rather than closing it. Reported via email by Tibor Kálmán @kalmant Please update to the new release ASAP!
diff --git a/conn_notjs.go b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong
diff --git a/read.go b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`func (c *Conn) ping(ctx context.Context, p string) error {`
`192`		`- pong := make(chan struct{})`
	`192`	`+ pong := make(chan struct{}, 1)`
`193`	`193`
`194`	`194`	`c.activePingsMu.Lock()`
`195`	`195`	`c.activePings[p] = pong`
Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {`
`271`	`271`	`pong, ok := c.activePings[string(b)]`
`272`	`272`	`c.activePingsMu.Unlock()`
`273`	`273`	`if ok {`
`274`		`- close(pong)`
	`274`	`+ select {`
	`275`	`+ case pong <- struct{}{}:`
	`276`	`+ default:`
	`277`	`+ }`
`275`	`278`	`}`
`276`	`279`	`return nil`
`277`	`280`	`}`