• Artyom Pervukhin's avatar
    websocket: limit incoming payload size · 6dba816f
    Artyom Pervukhin authored
    Codec's Receive method calls io.ReadAll of the whole frame payload,
    which can be abused by user sending large payloads in order to exhaust
    server memory.
    
    Introduce limit on received payload size defined by
    Conn.MaxPayloadBytes. If payload size of the message read with
    Codec.Receive exceeds limit, ErrFrameTooLarge error is returned; the
    connection can still be recovered if required: the next call to Receive
    would at first discard leftovers of previous oversized message before
    processing the next one.
    
    Fixes golang/go#5082.
    
    Change-Id: Ib04acd7038474fee39a1719324daaec1c0c496b1
    Reviewed-on: https://go-review.googlesource.com/23590Reviewed-by: 's avatarBrad Fitzpatrick <bradfitz@golang.org>
    Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
    TryBot-Result: Gobot Gobot <gobot@golang.org>
    6dba816f
websocket.go 11.7 KB