From 28d92a2f31ab470b42011db08e3d5c0d0a1dd3dc Mon Sep 17 00:00:00 2001
From: Aliaksandr Valialkin <valyala@victoriametrics.com>
Date: Thu, 26 Jan 2023 23:45:36 -0800
Subject: [PATCH] lib/netutil: limit the time needed for reading proxy protocol
 headers

This should prevent from misconfigured proxies and from possible Slowloris-type DoS attacks
(see https://en.wikipedia.org/wiki/Slowloris_(computer_security) )

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/3335
---
 lib/netutil/proxyprotocol.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/netutil/proxyprotocol.go b/lib/netutil/proxyprotocol.go
index d6ffc2179..c45dd6f60 100644
--- a/lib/netutil/proxyprotocol.go
+++ b/lib/netutil/proxyprotocol.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"time"
 
 	"github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil"
 )
@@ -15,6 +16,12 @@ type proxyProtocolConn struct {
 }
 
 func newProxyProtocolConn(c net.Conn) (net.Conn, error) {
+	// Limit the time needed for reading the proxy protocol header.
+	d := time.Now().Add(5 * time.Second)
+	if err := c.SetReadDeadline(d); err != nil {
+		return nil, fmt.Errorf("cannot set deadline for reading proxy protocol header: %s", err)
+	}
+
 	remoteAddr, err := readProxyProto(c)
 	if err != nil {
 		return nil, fmt.Errorf("proxy protocol error: %w", err)
@@ -22,6 +29,12 @@ func newProxyProtocolConn(c net.Conn) (net.Conn, error) {
 	if remoteAddr == nil {
 		remoteAddr = c.RemoteAddr()
 	}
+
+	// Reset the read deadline.
+	if err := c.SetReadDeadline(time.Time{}); err != nil {
+		return nil, fmt.Errorf("cannot reset deadline after reading proxy protocol header: %s", err)
+	}
+
 	return &proxyProtocolConn{
 		Conn:       c,
 		remoteAddr: remoteAddr,