websocket/websocket.go · 8b4af36cd21a1f85a7484b49feb7c79363106d8e · go / net

websocket: limit incoming payload size · 6dba816f

Artyom Pervukhin authored May 31, 2016

Codec's Receive method calls io.ReadAll of the whole frame payload,
which can be abused by user sending large payloads in order to exhaust
server memory.

Introduce limit on received payload size defined by
Conn.MaxPayloadBytes. If payload size of the message read with
Codec.Receive exceeds limit, ErrFrameTooLarge error is returned; the
connection can still be recovered if required: the next call to Receive
would at first discard leftovers of previous oversized message before
processing the next one.

Fixes golang/go#5082.

Change-Id: Ib04acd7038474fee39a1719324daaec1c0c496b1
Reviewed-on: https://go-review.googlesource.com/23590Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

6dba816f

websocket.go 11.7 KB

Replace websocket.go