1 files changed, 7 insertions, 0 deletions
diff --git a/networking/httpd.c b/networking/httpd.c
index fb6ffe542..56ab85b82 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket)
                n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);
                if (n < 0)
                        continue;
+//TODO: we can reject connects from denied IPs right away;
+//also, we might want to do one MSG_DONTWAIT'ed recv() here
+//to detect immediate EOF,
+//to avoid forking a whole new process for attackers
+//who open and close lots of connections.
+//(OTOH, the real mitigtion for this sort of thing is
+//to ratelimit connects in iptables)
                /* set the KEEPALIVE option to cull dead connections */
                setsockopt_keepalive(n);

diff --git a/networking/httpd.c b/networking/httpd.c index fb6ffe542..56ab85b82 100644 --- a/networking/httpd.c +++ b/networking/httpd.c
@@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket)
2632	n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);	2632	n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);
2633	if (n < 0)	2633	if (n < 0)
2634	continue;	2634	continue;
		2635	//TODO: we can reject connects from denied IPs right away;
		2636	//also, we might want to do one MSG_DONTWAIT'ed recv() here
		2637	//to detect immediate EOF,
		2638	//to avoid forking a whole new process for attackers
		2639	//who open and close lots of connections.
		2640	//(OTOH, the real mitigtion for this sort of thing is
		2641	//to ratelimit connects in iptables)
2635		2642
2636	/* set the KEEPALIVE option to cull dead connections */	2643	/* set the KEEPALIVE option to cull dead connections */
2637	setsockopt_keepalive(n);	2644	setsockopt_keepalive(n);