fix(webrtc): harden /sdp HTTP server against memory-amplification DoS (#1354)#1380
Open
yashksaini-coder wants to merge 2 commits into
Open
Conversation
Closes libp2p#1354. The POST /sdp dev-harness handler had two unbounded read paths: - A `while True` header loop with only a per-line timeout, allowing an attacker to hold a task indefinitely by sending header lines slowly. - `reader.readexactly(content_length)` on an attacker-controlled value; Content-Length: 2147483647 causes asyncio to grow a ~2 GiB buffer. Fix: three bounded constants + early rejection before any body allocation. _MAX_SDP_BODY_SIZE = 32 KiB → Content-Length > limit → 413 _MAX_HEADER_LINES = 64 → no blank line after N reads → 400 _MAX_HEADER_BYTES = 8 KiB → accumulated header size → 400 Non-integer and negative Content-Length values also return 400. The existing 15s per-readline/_readexactly timeout is unchanged. Adds 7 regression tests covering all acceptance criteria from the issue, including a soft RSS high-water check confirming the body buffer is not allocated before the 413 is sent. Refs libp2p#546, libp2p#1309, libp2p#1352.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #1354.
The
POST /sdpHTTP handler inWebRTCDirectListenerhad two unbounded read paths that allowed a remote attacker to consume server memory or hold async tasks indefinitely:while True:with only a per-readline 15s timeout. A slow attacker could send one header line every 14s and hold the connection forever.reader.readexactly(content_length)wherecontent_lengthis attacker-controlled.Content-Length: 2147483647causes asyncio's StreamReader to grow a ~2 GiB buffer per connection before the timeout fires.Fix
Three constants + early rejection before any body buffer is allocated:
_MAX_SDP_BODY_SIZE413 Payload Too Large_MAX_HEADER_LINES400 Bad Request_MAX_HEADER_BYTES400 Bad RequestNon-integer and negative
Content-Lengthvalues also return400. The existing_SDP_HTTP_TIMEOUT(15s per readline/readexactly) is unchanged.Uses Python's
for/elseidiom: theelseclause fires when the header loop exhausts_MAX_HEADER_LINESreads without finding the blank-line terminator. Earlyreturninsidetry/finallystill closes the writer correctly.Test plan
Content-Length: 999999999→413, RSS high-water mark does not grow by > 1 MiB (body not allocated)Content-Length: notanumber→400Content-Length: -1→400Content-Length: _MAX_SDP_BODY_SIZE(exactly at limit) →200(happy path still works)_MAX_HEADER_LINES + 1non-blank header lines →400_MAX_HEADER_BYTES→400200,on_offercallback receives correct bodyScope note
This harness is documented as a temporary py-to-py scaffold (not interop-compatible with go/js libp2p). The fix raises the bar from "trivially DoSable over LAN" to "needs real attacker model" — appropriate hardening while the STUN-based listener (#1352) is in spike.
Refs #546, #1309, #1352.