High-severity follow-ups: cap HPACK table, drain acceptor exits, harden TLS opts#3
Merged
Merged
Conversation
…en TLS opts
Three independent High findings from the audit:
Cap peer SETTINGS_HEADER_TABLE_SIZE at 64 KB before applying. RFC 7541
lets a peer advertise any 32-bit value; honoring it verbatim feeds the
encoder dynamic table, whose lookup is O(n), turning a chatty peer into
a CPU/memory exhaustion vector.
Drain queued {'EXIT',_,_} after every accept in the ssl and tcp loops.
Acceptors run with trap_exit and spawn_link per connection wrapper, so
every closed connection leaves an EXIT message that nobody reads; on a
busy server the mailbox grows without bound and selective receives
degrade.
Harden start_server TLS option building: extract build_server_ssl_opts/3,
honor top-level `verify' (default verify_none), reject verify_peer
without cacerts (verify_peer_requires_cacerts), accept an ssl_opts
override list merged on top of the defaults, and default
honor_cipher_order to true.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three independent High findings from the security/concurrency audit, surgical and unrelated:
SETTINGS_HEADER_TABLE_SIZEat 64 KB before applying. RFC 7541 lets a peer advertise any 32-bit value; honoring it feeds the encoder dynamic table whose lookup is O(n), enabling CPU/memory exhaustion.{'EXIT', _, _}after every accept in the ssl and tcp acceptor loops. Acceptors run withtrap_exitandspawn_linkper connection wrapper, so every closed connection leaves an EXIT message that nobody reads; on a busy server the mailbox grows without bound.start_serverTLS option building: extractbuild_server_ssl_opts/3, honor top-levelverify(defaultverify_none), rejectverify_peerwithoutcacerts({error, verify_peer_requires_cacerts}), accept anssl_optsoverride list, and defaulthonor_cipher_ordertotrue.All 92 tests pass.