From b0adae427fc28c920d67c8907c1b3766ae858cc4 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Tue, 15 Aug 2017 08:05:56 +0800
Subject: [PATCH] ah: reuse at end of transaction has no timeout

If we complete a transaction but end up keeping the ah, we must force
a timeout on it.  Otherwise a bad bot could keep the socket open and
exhaust the ah pool.
---
 lib/server.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/server.c b/lib/server.c
index 16e3808..6e7c8b0 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -1889,8 +1889,17 @@ lws_http_transaction_completed(struct lws *wsi)
 				return 1;
 			}
 #endif
-		} else
+		} else {
 			lws_header_table_reset(wsi, 1);
+			/*
+			 * If we kept the ah, we should restrict the amount
+			 * of time we are willing to keep it.  Otherwise it
+			 * will be bound the whole time the connection remains
+			 * open.
+			 */
+			lws_set_timeout(wsi, PENDING_TIMEOUT_HOLDING_AH,
+					wsi->vhost->keepalive_timeout);
+		}
 	}
 
 	/* If we're (re)starting on headers, need other implied init */
-- 
2.7.4