Fix DOS attack from malicious pongs

A double channel close panic was possible if a peer sent back multiple pongs for every ping. If the second pong arrived before the ping goroutine deleted its channel from the map, the channel would be closed twice and so a panic would ensue. This fixes that by having the read goroutine send on the ping goroutine's channel rather than closing it. Reported via email by Tibor Kálmán @kalmant Please update to the new release ASAP!

Fix DOS attack from malicious pongs
129d3035 · Anmol Sethi · e4c3b0f8 · 129d3035 · 129d3035
Unverified Commit 129d3035 authored Apr 7, 2021 by Anmol Sethi
--- a/conn_notjs.go
+++ b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong

--- a/read.go
+++ b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}