fixed an DoS vulnerability in Mochiweb/SSL
Project: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/commit/7cf56e3b Tree: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/tree/7cf56e3b Diff: http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/diff/7cf56e3b Branch: refs/heads/upstream Commit: 7cf56e3babb89e9bf486b79aa40d11b042eda591 Parents: ce37cb2 Author: Atilla Erdodi <[email protected]> Authored: Tue Jan 25 02:27:12 2011 +0100 Committer: Marc Worrell <[email protected]> Committed: Wed Oct 15 12:45:57 2014 +0200 ---------------------------------------------------------------------- src/mochiweb_socket.erl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb-mochiweb/blob/7cf56e3b/src/mochiweb_socket.erl ---------------------------------------------------------------------- diff --git a/src/mochiweb_socket.erl b/src/mochiweb_socket.erl index 76b018c..bf503cc 100644 --- a/src/mochiweb_socket.erl +++ b/src/mochiweb_socket.erl @@ -8,6 +8,9 @@ setopts/2, type/1]). -define(ACCEPT_TIMEOUT, 2000). +-define(SSL_TIMEOUT, 10000). +-define(SSL_HANDSHAKE_TIMEOUT, 20000). + listen(Ssl, Port, Opts, SslOpts) -> case Ssl of @@ -25,9 +28,9 @@ listen(Ssl, Port, Opts, SslOpts) -> accept({ssl, ListenSocket}) -> % There's a bug in ssl:transport_accept/2 at the moment, which is the % reason for the try...catch block. Should be fixed in OTP R14. - try ssl:transport_accept(ListenSocket) of + try ssl:transport_accept(ListenSocket, ?SSL_TIMEOUT) of {ok, Socket} -> - case ssl:ssl_accept(Socket) of + case ssl:ssl_accept(Socket, ?SSL_HANDSHAKE_TIMEOUT) of ok -> {ok, {ssl, Socket}}; {error, _} = Err ->
