Skip to content

fix(webrtc): harden /sdp HTTP server against memory-amplification DoS (#1354)#1380

Open
yashksaini-coder wants to merge 2 commits into
libp2p:mainfrom
yashksaini-coder:worktree-fix+webrtc-sdp-server-hardening-1354
Open

fix(webrtc): harden /sdp HTTP server against memory-amplification DoS (#1354)#1380
yashksaini-coder wants to merge 2 commits into
libp2p:mainfrom
yashksaini-coder:worktree-fix+webrtc-sdp-server-hardening-1354

Conversation

@yashksaini-coder

Copy link
Copy Markdown
Contributor

Summary

Closes #1354.

The POST /sdp HTTP handler in WebRTCDirectListener had two unbounded read paths that allowed a remote attacker to consume server memory or hold async tasks indefinitely:

  • Unbounded header loopwhile True: with only a per-readline 15s timeout. A slow attacker could send one header line every 14s and hold the connection forever.
  • Unbounded body allocationreader.readexactly(content_length) where content_length is attacker-controlled. Content-Length: 2147483647 causes asyncio's StreamReader to grow a ~2 GiB buffer per connection before the timeout fires.

Fix

Three constants + early rejection before any body buffer is allocated:

Constant Value Behaviour on violation
_MAX_SDP_BODY_SIZE 32 KiB 413 Payload Too Large
_MAX_HEADER_LINES 64 400 Bad Request
_MAX_HEADER_BYTES 8 KiB 400 Bad Request

Non-integer and negative Content-Length values also return 400. The existing _SDP_HTTP_TIMEOUT (15s per readline/readexactly) is unchanged.

Uses Python's for/else idiom: the else clause fires when the header loop exhausts _MAX_HEADER_LINES reads without finding the blank-line terminator. Early return inside try/finally still closes the writer correctly.

Test plan

  • Content-Length: 999999999413, RSS high-water mark does not grow by > 1 MiB (body not allocated)
  • Content-Length: notanumber400
  • Content-Length: -1400
  • Content-Length: _MAX_SDP_BODY_SIZE (exactly at limit) → 200 (happy path still works)
  • _MAX_HEADER_LINES + 1 non-blank header lines → 400
  • Single header line > _MAX_HEADER_BYTES400
  • Valid SDP request → 200, on_offer callback receives correct body
  • All 161 WebRTC tests pass (154 existing + 7 new)
  • ruff, mypy, pyrefly, pre-commit all clean

Scope note

This harness is documented as a temporary py-to-py scaffold (not interop-compatible with go/js libp2p). The fix raises the bar from "trivially DoSable over LAN" to "needs real attacker model" — appropriate hardening while the STUN-based listener (#1352) is in spike.

Refs #546, #1309, #1352.

Closes libp2p#1354.

The POST /sdp dev-harness handler had two unbounded read paths:
  - A `while True` header loop with only a per-line timeout, allowing an
    attacker to hold a task indefinitely by sending header lines slowly.
  - `reader.readexactly(content_length)` on an attacker-controlled value;
    Content-Length: 2147483647 causes asyncio to grow a ~2 GiB buffer.

Fix: three bounded constants + early rejection before any body allocation.

  _MAX_SDP_BODY_SIZE = 32 KiB   → Content-Length > limit → 413
  _MAX_HEADER_LINES  = 64        → no blank line after N reads → 400
  _MAX_HEADER_BYTES  = 8 KiB    → accumulated header size → 400

Non-integer and negative Content-Length values also return 400.
The existing 15s per-readline/_readexactly timeout is unchanged.

Adds 7 regression tests covering all acceptance criteria from the issue,
including a soft RSS high-water check confirming the body buffer is not
allocated before the 413 is sent.

Refs libp2p#546, libp2p#1309, libp2p#1352.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

harden: bound Content-Length and header reads on WebRTC Direct HTTP /sdp dev harness

1 participant