Comments (1)
Yes, you're right. If the client specifies that it sends 4GB of the message, and it sends 3.9GB and maintains the connection open, the server must allocate that memory expecting the client sends the remaining 0.1GB of the message.
Once #54 has been merged, that maximum could be specified by a parameter for the FramedTcp listener. Nevertheless, I think adding a maximum only adds more work for the attacker, but it's still vulnerable. The attacker only needs to create more connections leaving incomplete messages.
I think a better solution to protect against this attack is to close the server FramedTcp
connection if the endpoint is not sending more fragments when it is in the middle of building a framed message. This "timeout" could also be configured by #54 when the listener is created, even you could mix both, a maximum and a timeout.
from message-io.
Related Issues (20)
- Packages contain code that will be rejected by a future version of Rust HOT 12
- Send message from basic websocket client HOT 2
- Disconnecting badly acting client (endpoint) HOT 2
- Cancelling timed messages fails sometimes HOT 3
- Release 0.14.8
- Unable to connect with FramedTcp HOT 1
- Release v0.15.0 HOT 8
- Add support for Bevy ECS HOT 3
- Error compiling with only tcp feature enabled HOT 3
- Release 0.16.0 HOT 2
- Buymeacoffee badge is misspelled ("bymeacoffee") HOT 1
- ws can not receive text HOT 10
- Is it possible to create an UART adapter? HOT 3
- Not compiling on linux (ubuntu 22.04) HOT 2
- Scaling of a application HOT 6
- is there any possibility for multiple thread mio eventloop? HOT 1
- Feature Request: Accept WebSocket URLs with parameters. HOT 3
- client don't try reconnect HOT 2
- Code very similar to the example does not work HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from message-io.