DOS by capturing all threads
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HTTPy |
Fix Committed
|
High
|
Corbin |
Bug Description
By 'thread' I mean a threaded ClientHandler object.
After a connection is made and passed off to the queue, one of the threads takes it out of the queue and handles it. Basically, it just waits for the client to send his request, figures out what the client wants, sends it to the client, and closes the connection. But if the client never sends a request, the thread just sits and waits until the client closes the connection. Using this, an attacker is able to deny service to legitimate clients by capturing all of the server's threads. This is very ease to do, as the default configuration uses only five threads.
I am attaching the exploit code I used to research this vulnerability.
I would recommend fixing this bug by setting a limit on how long a thread can wait for a request. Something like 25 ms. If the connected client doesn't send a request in that time, the thread just closes the connection and moves on to the next client on the queue.
Changed in httpy: | |
status: | Confirmed → Fix Committed |