From 713521318289919cc481bf15f28a4a06554485dc Mon Sep 17 00:00:00 2001
From: Joey Hess <joeyh@joeyh.name>
Date: Tue, 18 Apr 2017 14:43:16 -0400
Subject: memory DOS prevention

Prevent DOS of user side by limiting the size of the BackLog that
is maintained. This should not cause problems in even high latency
environments, and should prevent memory use > 16 mb.

The developer side does not keep much data, other than a list of the
Hashes of things it has recently sent, so is not susceptable to memory
DOS.

This commit was sponsored by Brock Spratlen on Patreon.
---
 debug-me.hs | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'debug-me.hs')

diff --git a/debug-me.hs b/debug-me.hs
index 3cc1f09..8ff38ed 100644
--- a/debug-me.hs
+++ b/debug-me.hs
@@ -5,6 +5,7 @@ module Main where
 import Types
 import Hash
 import Pty
+import Memory
 import CmdLine
 import Log
 import Graphviz
@@ -251,7 +252,8 @@ sendPtyInput ichan ochan p backlog logger = go
 			bl <- readTVar backlog
 			-- Don't need to retain backlog before the Activity
 			-- that entered references.
-			let bl'@(Backlog bll) = truncateBacklog bl entered
+			let bl'@(Backlog bll) = reduceBacklog $
+				truncateBacklog bl entered
 			if isLegalEntered entered bl'
 				then do
 					let l = mkActivityLog (ActivityEntered entered) now
@@ -293,6 +295,18 @@ truncateBacklog (Backlog (b :| l)) (Activity _ hp _)
 	truncationpoint x@(ActivityLog { loggedActivity = ActivitySeen {}}) = Just (loggedHash x) == hp
 	truncationpoint _ = False
 
+-- | To avoid DOS attacks that try to fill up the backlog and so use all
+-- memory, don't let the backlog contain more than 1000 items, or
+-- more than 16 megabytes of total data. (Excluding the most recent
+-- item).
+reduceBacklog :: Backlog -> Backlog
+reduceBacklog (Backlog (b :| l)) = Backlog (b :| go 0 (take 1000 l))
+  where
+	go _ [] = []
+	go n (x:xs)
+		| n > 16777216 = []
+		| otherwise = x : go (n + dataSize x) xs
+
 -- | Entered activity is legal when it points to the last Seen activvity,
 -- because this guarantees that the person who entered it saw
 -- the current state of the system before manipulating it.
-- 
cgit v1.2.3