Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EVM-819 DoS on Websockets #1871

Merged
merged 1 commit into from
Sep 5, 2023
Merged

EVM-819 DoS on Websockets #1871

merged 1 commit into from
Sep 5, 2023

Conversation

igorcrevar
Copy link
Contributor

Description

Gorilla websocket library does not have any read limits by default.
Attacker could send a very large stream of data and trigger out of memory crash.
The polygon-edge process will be stopped by system OOM killer.
Impact
Remote denial of service. No authentication is required.Risk Breakdown
Difficulty to Exploit: Easy Weakness: CVSS2 Score:
Recommendation
Use SetReadLimit() call of gorilla library.

New server flag --websocket-read-limit is introduced. By default this value is 8192. This value specifies read limit for web socket connections.

Changes include

  • Bugfix (non-breaking change that solves an issue)
  • Hotfix (change that solves an urgent issue, and requires immediate attention)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (change that is not backwards-compatible and/or changes current functionality)

Checklist

  • I have assigned this PR to myself
  • I have added at least 1 reviewer
  • I have added the relevant labels
  • I have updated the official documentation
  • I have added sufficient documentation in code

Testing

  • I have tested this code with the official test suite
  • I have tested this code manually

Manual tests

@igorcrevar igorcrevar added the bug fix Functionality that fixes a bug label Sep 4, 2023
@igorcrevar igorcrevar requested a review from a team September 4, 2023 11:49
@igorcrevar igorcrevar self-assigned this Sep 4, 2023
vcastellm
vcastellm approved these changes Sep 4, 2023
View reviewed changes
Copy link
Contributor

@vcastellm vcastellm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@igorcrevar igorcrevar merged commit 054bef4 into develop Sep 5, 2023
6 checks passed
@igorcrevar igorcrevar deleted the feature/EVM-819-DOS-attack-WS branch September 5, 2023 08:18
@github-actions github-actions bot locked and limited conversation to collaborators Sep 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vcastellm vcastellm vcastellm approved these changes

@begmaroman begmaroman begmaroman approved these changes

@Nemanja0x Nemanja0x Nemanja0x approved these changes

@Stefan-Ethernal Stefan-Ethernal Stefan-Ethernal approved these changes

@stana-miric stana-miric stana-miric approved these changes

Assignees

@igorcrevar igorcrevar

Labels
bug fix Functionality that fixes a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@igorcrevar @vcastellm @begmaroman @Nemanja0x @Stefan-Ethernal @stana-miric