Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/libexec/httpd avoid DoS in initial request size, which is no...
details: https://anonhg.NetBSD.org/src/rev/d8279b1e58b6
branches: trunk
changeset: 1020240:d8279b1e58b6
user: mrg <mrg%NetBSD.org@localhost>
date: Sun Apr 04 18:14:26 2021 +0000
description:
avoid DoS in initial request size, which is now bounded at 16KiB.
reported by Justin Parrott in PR#56085.
diffstat:
libexec/httpd/CHANGES | 6 +++++-
libexec/httpd/bozohttpd.c | 23 +++++++++++++++--------
2 files changed, 20 insertions(+), 9 deletions(-)
diffs (85 lines):
diff -r d7bce1abb12f -r d8279b1e58b6 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES Sun Apr 04 13:37:17 2021 +0000
+++ b/libexec/httpd/CHANGES Sun Apr 04 18:14:26 2021 +0000
@@ -1,4 +1,8 @@
-$NetBSD: CHANGES,v 1.47 2021/02/27 12:55:25 mrg Exp $
+$NetBSD: CHANGES,v 1.48 2021/04/04 18:14:26 mrg Exp $
+
+changes in bozohttpd 20210403:
+ o fix a denial of service attack against initial request contents,
+ now bounded at 16KiB. reported by Justin Parrott in PR#56085
changes in bozohttpd 20210227:
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
diff -r d7bce1abb12f -r d8279b1e58b6 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Sun Apr 04 13:37:17 2021 +0000
+++ b/libexec/httpd/bozohttpd.c Sun Apr 04 18:14:26 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bozohttpd.c,v 1.128 2021/02/27 12:55:25 mrg Exp $ */
+/* $NetBSD: bozohttpd.c,v 1.129 2021/04/04 18:14:26 mrg Exp $ */
/* $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $ */
@@ -108,7 +108,7 @@
#define INDEX_HTML "index.html"
#endif
#ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE "bozohttpd/20210227"
+#define SERVER_SOFTWARE "bozohttpd/20210403"
#endif
#ifndef PUBLIC_HTML
#define PUBLIC_HTML "public_html"
@@ -852,6 +852,10 @@
next_header:
alarm(httpd->header_timeout);
}
+ if (str == NULL) {
+ bozo_http_error(httpd, 413, request, "request too large");
+ goto cleanup;
+ }
/* now, clear it all out */
alarm(0);
@@ -2124,7 +2128,7 @@
if (httpd)
tmp = bozomalloc(httpd, len);
else if ((tmp = malloc(len)) == 0)
- return NULL;
+ return NULL;
for (i = 0, j = 0; url[i]; i++) {
switch (url[i]) {
@@ -2373,6 +2377,9 @@
* inspired by fgetln(3), but works for fd's. should work identically
* except it, however, does *not* return the newline, and it does nul
* terminate the string.
+ *
+ * returns NULL if the line grows too large. empty lines will be
+ * returned with *lenp set to 0.
*/
char *
bozodgetln(bozohttpd_t *httpd, int fd, ssize_t *lenp,
@@ -2386,11 +2393,8 @@
if (httpd->getln_buflen == 0) {
/* should be plenty for most requests */
httpd->getln_buflen = 128;
- httpd->getln_buffer = malloc((size_t)httpd->getln_buflen);
- if (httpd->getln_buffer == NULL) {
- httpd->getln_buflen = 0;
- return NULL;
- }
+ httpd->getln_buffer =
+ bozomalloc(httpd, (size_t)httpd->getln_buflen);
}
len = 0;
@@ -2406,6 +2410,9 @@
for (; readfn(httpd, fd, &c, 1) == 1; ) {
debug((httpd, DEBUG_EXPLODING, "bozodgetln read %c", c));
+ if (httpd->getln_buflen > BOZO_HEADERS_MAX_SIZE)
+ return NULL;
+
if (len >= httpd->getln_buflen - 1) {
httpd->getln_buflen *= 2;
debug((httpd, DEBUG_EXPLODING, "bozodgetln: "
Home |
Main Index |
Thread Index |
Old Index