archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 11:11:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Guard against large reads

Browse source 
This is a fix for #26348
This commit is contained in:
Cecylia Bocovich 2019-05-10 15:36:04 -04:00
parent 5380aaca8c
commit ce3101d016
3 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
broker/broker.go
View file

@ -136,7 +136,7 @@ For snowflake proxies to request a client from the Broker.
*/
func proxyPolls(ctx *BrokerContext, w http.ResponseWriter, r *http.Request) {
id := r.Header.Get("X-Session-ID")
body, err := ioutil.ReadAll(r.Body)
body, err := ioutil.ReadAll(http.MaxBytesReader(w, r.Body, 100000))
if nil != err {
log.Println("Invalid data.")
w.WriteHeader(http.StatusBadRequest)
@ -166,7 +166,7 @@ the HTTP response back to the client.
*/
func clientOffers(ctx *BrokerContext, w http.ResponseWriter, r *http.Request) {
startTime := time.Now()
offer, err := ioutil.ReadAll(r.Body)
offer, err := ioutil.ReadAll(http.MaxBytesReader(w, r.Body, 100000))
if nil != err {
log.Println("Invalid data.")
w.WriteHeader(http.StatusBadRequest)
@ -213,7 +213,7 @@ func proxyAnswers(ctx *BrokerContext, w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusGone)
return
}
body, err := ioutil.ReadAll(r.Body)
body, err := ioutil.ReadAll(http.MaxBytesReader(w, r.Body, 100000))
if nil != err || nil == body || len(body) <= 0 {
log.Println("Invalid data.")
w.WriteHeader(http.StatusBadRequest)

2
client/lib/rendezvous.go
View file

@ -91,7 +91,7 @@ func (bc *BrokerChannel) Negotiate(offer *webrtc.SessionDescription) (
switch resp.StatusCode {
case http.StatusOK:
body, err := ioutil.ReadAll(resp.Body)
body, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, 100000))
if nil != err {
return nil, err
}

2
proxy-go/snowflake.go
View file

@ -162,7 +162,7 @@ func pollOffer(sid string) *webrtc.SessionDescription {
if resp.StatusCode != http.StatusOK {
log.Printf("broker returns: %d", resp.StatusCode)
} else {
body, err := ioutil.ReadAll(resp.Body)
body, err := ioutil.ReadAll(http.MaxBytesReader(nil, resp.Body, 100000))
if err != nil {
log.Printf("error reading broker response: %s", err)
} else {