From fd3da82dd7772419c01bb751e5b5cb7f198b4752 Mon Sep 17 00:00:00 2001 From: Roland Reichwein Date: Thu, 26 Jan 2023 19:14:05 +0100 Subject: websocket bugfix: socket leak --- http.cpp | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'http.cpp') diff --git a/http.cpp b/http.cpp index 893f1f0..2d78212 100644 --- a/http.cpp +++ b/http.cpp @@ -1,7 +1,6 @@ #include "http.h" #include "config.h" -#include "error.h" #include "server.h" #include "response.h" #include "websocket.h" @@ -46,6 +45,32 @@ using namespace Reichwein; namespace { + // Report a failure +void fail(boost::beast::error_code ec, char const* what) +{ + // ssl::error::stream_truncated, also known as an SSL "short read", + // indicates the peer closed the connection without performing the + // required closing handshake (for example, Google does this to + // improve performance). Generally this can be a security issue, + // but if your communication protocol is self-terminated (as + // it is with both HTTP and WebSocket) then you may simply + // ignore the lack of close_notify. + // + // https://github.com/boostorg/beast/issues/38 + // + // https://security.stackexchange.com/questions/91435/how-to-handle-a-malicious-ssl-tls-shutdown + // + // When a short read would cut off the end of an HTTP message, + // Beast returns the error beast::http::error::partial_message. + // Therefore, if we see a short read here, it has occurred + // after the message has been completed, so it is safe to ignore it. + + if (ec == boost::asio::ssl::error::stream_truncated) + return; + + std::cerr << what << ": " << ec.message() << "\n"; +} + // Handles an HTTP server connection template class session -- cgit v1.2.3