From c5483800adfd5a0c3aa9472daf484235fcdcc0b6 Mon Sep 17 00:00:00 2001
From: Anthony Young-Garner <anthony.young-garner@cloudera.com>
Date: Tue, 19 Jan 2021 09:54:27 -0600
Subject: [PATCH] Uncaught socket exception during timeout handling

---
 cheroot/ssl/pyopenssl.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cheroot/ssl/pyopenssl.py b/cheroot/ssl/pyopenssl.py
index 8b01b348de..cb2cbc6e3c 100644
--- a/cheroot/ssl/pyopenssl.py
+++ b/cheroot/ssl/pyopenssl.py
@@ -99,8 +99,14 @@ def _safe_call(self, is_reader, call, *args, **kwargs):  # noqa: C901
             except SSL.WantWriteError:
                 time.sleep(self.ssl_retry)
             except SSL.SysCallError as e:
-                if is_reader and e.args == (-1, 'Unexpected EOF'):
-                    return b''
+                if e.args == (-1, 'Unexpected EOF'):
+                    if is_reader:
+                        return b''
+                    else:
+                        # See #210. Prevents DOS attack caused by
+                        # silent connections lasting beyond connection
+                        # timeout length.
+                        raise errors.FatalSSLAlert(*e.args)
 
                 errnum = e.args[0]
                 if is_reader and errnum in errors.socket_errors_to_ignore: