Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

non-TLS socket accepted is blocking by default #56

Open
veeg opened this issue Jul 26, 2018 · 2 comments
Open

non-TLS socket accepted is blocking by default #56

veeg opened this issue Jul 26, 2018 · 2 comments

Comments

@veeg
Copy link

veeg commented Jul 26, 2018

The documentation for nopoll_conn_get_msg() states that the accepted socket will be non-blocking by default. This is not the case when the accepted socket has not enabled TLS.

The following line in the internal accept method states it will set non-blocking, and then it sets blocking.

nopoll/src/nopoll_conn.c

Lines 4692 to 4693 in e80b74a

/* configure non blocking mode */
nopoll_conn_set_sock_block (session, nopoll_true);

This is not the case for TLS sockets, as evident by this line:

nopoll/src/nopoll_conn.c

Lines 4874 to 4877 in e80b74a

/* don't complete here the operation but flag it as
* pending */
conn->pending_ssl_accept = nopoll_true;
nopoll_conn_set_sock_block (conn->session, nopoll_false);

Documentation for nopoll_conn_get_msg() states that default is non-blocking

nopoll/src/nopoll_conn.c

Lines 3034 to 3036 in e80b74a

* This function is design to not block the caller. However,
* connection socket must be in non-blocking configuration. If you
* have not configured anything, this is the default.

This confusing behavior has tripped up multiple co-workers of mine, including me for a time, until I fully comprehended both the websocket standard and the nopoll implementation
@xhsjdm
Copy link

xhsjdm commented Dec 20, 2018

I've gotten the same problem while non-TLS.
Could I simply move
"nopoll_conn_set_sock_block (conn->session, nopoll_false);"
from
"
/* don't complete here the operation but flag it as
* pending /
conn->pending_ssl_accept = nopoll_true;
nopoll_conn_set_sock_block (conn->session, nopoll_false);
"
out of
"
if (listener->tls_on || tls_on) {
/ reached this point, ensure tls is enabled on this
* session */
conn->tls_on = nopoll_true;
...
nopoll_log (ctx, NOPOLL_LEVEL_DEBUG, "Prepared TLS session to be activated on next reads (conn id %d)", conn->id);

} /* end if */

"
.

I tried and test simply, it works.

@samisallinen
Copy link

This issue leaves a server using libnopoll victim for a super-easy denial-of-service attack: just telnet to the non-tls port of the server and send one character (e.g. press ctrl-c) . The nopoll thread will be waiting forever to receive a full line of text, blocking traffic on all other connections. The fix suggested above seems to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@veeg @xhsjdm @samisallinen