From f13685ee97675be2ac9502d177d3024ebc49c1e0 Mon Sep 17 00:00:00 2001 From: Arjan Filius Date: Thu, 17 Oct 2019 09:05:13 +0200 Subject: [PATCH] AsyncEvents/ServerSideEvents: prevent internal DOS by prevent overflowing messageQueue (#621) * Prevent tcp/wifi DOS lockup by preventing number of messages in queue, drop otherwise * Define (renamed) MAX_SSE_Clients --- src/AsyncEventSource.cpp | 12 ++++++++---- src/AsyncEventSource.h | 17 +++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/src/AsyncEventSource.cpp b/src/AsyncEventSource.cpp index ad188e8..f2914df 100644 --- a/src/AsyncEventSource.cpp +++ b/src/AsyncEventSource.cpp @@ -184,10 +184,14 @@ void AsyncEventSourceClient::_queueMessage(AsyncEventSourceMessage *dataMessage) delete dataMessage; return; } - - _messageQueue.add(dataMessage); - - _runQueue(); + if(_messageQueue.length() >= SSE_MAX_QUEUED_MESSAGES){ + ets_printf("ERROR: Too many messages queued\n"); + delete dataMessage; + } else { + _messageQueue.add(dataMessage); + } + if(_client->canSend()) + _runQueue(); } void AsyncEventSourceClient::_onAck(size_t len, uint32_t time){ diff --git a/src/AsyncEventSource.h b/src/AsyncEventSource.h index 7c212e9..b097fa6 100644 --- a/src/AsyncEventSource.h +++ b/src/AsyncEventSource.h @@ -23,11 +23,28 @@ #include #ifdef ESP32 #include +#define SSE_MAX_QUEUED_MESSAGES 32 #else #include +#define SSE_MAX_QUEUED_MESSAGES 8 #endif #include +#include "AsyncWebSynchronization.h" + +#ifdef ESP8266 +#include +#ifdef CRYPTO_HASH_h // include Hash.h from espressif framework if the first include was from the crypto library +#include <../src/Hash.h> +#endif +#endif + +#ifdef ESP32 +#define DEFAULT_MAX_SSE_CLIENTS 8 +#else +#define DEFAULT_MAX_SSE_CLIENTS 4 +#endif + class AsyncEventSource; class AsyncEventSourceResponse; class AsyncEventSourceClient;