NetBSD Problem Report #56085
From www@netbsd.org Tue Mar 30 08:59:05 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id C6F1F1A9217
for <gnats-bugs@gnats.NetBSD.org>; Tue, 30 Mar 2021 08:59:05 +0000 (UTC)
Message-Id: <20210330085904.39A1B1A921F@mollari.NetBSD.org>
Date: Tue, 30 Mar 2021 08:59:04 +0000 (UTC)
From: parrottjustin16@gmail.com
Reply-To: parrottjustin16@gmail.com
To: gnats-bugs@NetBSD.org
Subject: One can kind of run away with memory as bozodgetln grows a buffer to infinity
X-Send-Pr-Version: www-1.0
>Number: 56085
>Category: bin
>Synopsis: One can kind of run away with memory as bozodgetln grows a buffer to infinity
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: mrg
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Mar 30 09:00:00 +0000 2021
>Closed-Date: Mon Mar 14 05:08:07 +0000 2022
>Last-Modified: Wed May 18 00:50:02 +0000 2022
>Originator: Justin Parrott
>Release: current
>Organization:
independent
>Environment:
NetBSD 9.99.81 NetBSD 9.99.81 (GENERIC) #0: Mon Mar 29 02:32:22 UTC 2021 root@localhost:/usr/src/sys/arch/amd64/compile/obj/GENERIC amd64
>Description:
bozodgetln grows a buffer to infinity. This appears to be limited by httpd->header_timeout (off by default).
>How-To-Repeat:
{ stty -icanon; { printf "GET / HTTP/1.1\r\n"; while true; do printf a; done; } |nc localhost 80; }
>Fix:
Patch below - minimally tested against running the daemon out of inetd. Also, users should impose a header timeout.
Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.128
diff -r1.128 bozohttpd.c
859a860,864
> if (!str) {
> bozo_http_error(httpd, 400, request, "bad headers");
> goto cleanup;
> }
>
2409a2415,2424
> if (BOZO_HEADERS_MAX_LINESIZE &&
> httpd->getln_buflen > BOZO_HEADERS_MAX_LINESIZE) {
> debug((httpd, DEBUG_EXPLODING, "bozodgetln: "
> "header line exceeds %d bytes",
> BOZO_HEADERS_MAX_LINESIZE));
> free(httpd->getln_buffer);
> httpd->getln_buflen = 0;
> return NULL;
> }
>
Index: bozohttpd.h
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.h,v
retrieving revision 1.68
diff -r1.68 bozohttpd.h
229a230,232
> /* header lines can be this long. 0 for infinity */
> #define BOZO_HEADERS_MAX_LINESIZE (2 * 1024)
>
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Sat, 03 Apr 2021 23:18:12 +0000
Responsible-Changed-Why:
i'll fix it.
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org, parrottjustin16@gmail.com
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: bin/56085: One can kind of run away with memory as bozodgetln grows a buffer to infinity
Date: Sun, 04 Apr 2021 09:29:12 +1000
> >Description:
> bozodgetln grows a buffer to infinity. =
indeed it does. thanks for the report.
> This appears to be limited by httpd->header_timeout (off by default).
this should be 10 seconds:
#define HEADER_WAIT_TIME "10" /* need more headers every 10 seco=
nds */
if (!bozo_set_pref(httpd, prefs, "header timeout", HEADER_WAIT_TIM=
E))
and then
if ((cp =3D bozo_get_pref(prefs, "header timeout")) !=3D NULL) {
httpd->header_timeout =3D atoi(cp);
so if you're not seeing timeouts either from the initial connection
(should be 30s) or any time after this for headers at 10s, there is
something happening i'm not seeing here. eg, if i connect and do
nothing, timeout after 30s, if i connect and only give it a non 0.9
request, so it is waiting for headers, disconnect 10s later.
> Patch below - minimally tested against running the daemon out of inetd. =
Also, users should impose a header timeout.
i'm re-using the existing value for BOZO_HEADERS_MAX_SIZE for
the request as well, rather than adding another value. it
has a default of 16KB.
i don't understand the first chunk here:
> Index: bozohttpd.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
> retrieving revision 1.128
> diff -r1.128 bozohttpd.c
> 859a860,864
> > if (!str) {
> > bozo_http_error(httpd, 400, request, "bad headers");
> > goto cleanup;
> > }
> > =
what is this trying to fix? it's not invalid for there to be
nothing left here is it?
thanks.
.mrg.
ps: please use 'diff -pu' (or at least 'diff -pc').
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: bin/56085: One can kind of run away with memory as bozodgetln grows a buffer to infinity
Date: Sun, 04 Apr 2021 09:37:43 +1000
> Index: bozohttpd.c
> ===================================================================
> RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
> retrieving revision 1.128
> diff -r1.128 bozohttpd.c
> 859a860,864
> > if (!str) {
> > bozo_http_error(httpd, 400, request, "bad headers");
> > goto cleanup;
> > }
ah, this chunk makes the "return NULL" from the following chunk
work. that's it's own problem. there needs to be "nothing"
vs "error" cases here.
.mrg.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56085 CVS commit: src/libexec/httpd
Date: Sun, 4 Apr 2021 18:14:27 +0000
Module Name: src
Committed By: mrg
Date: Sun Apr 4 18:14:27 UTC 2021
Modified Files:
src/libexec/httpd: CHANGES bozohttpd.c
Log Message:
avoid DoS in initial request size, which is now bounded at 16KiB.
reported by Justin Parrott in PR#56085.
To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 src/libexec/httpd/CHANGES
cvs rdiff -u -r1.128 -r1.129 src/libexec/httpd/bozohttpd.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: mrg@NetBSD.org
State-Changed-When: Mon, 14 Mar 2022 05:08:07 +0000
State-Changed-Why:
fix was commited last year.
From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56085 CVS commit: pkgsrc/www/bozohttpd
Date: Wed, 18 May 2022 00:46:46 +0000
Module Name: pkgsrc
Committed By: mrg
Date: Wed May 18 00:46:46 UTC 2022
Modified Files:
pkgsrc/www/bozohttpd: Makefile distinfo
Log Message:
update to bozohttpd 20220517. changes include:
o remove obsolete .bzdirect handling.
o new "-m tlsversion" option to set the minimum TLS version
available. partially from <sunil@nimmagadda.net>.
o extend the list of available ciphers to include most of the
openssl "HIGH" with some additional disables. retain the current
list of bad options. should deal with PR#51278.
o don't assume host BUFSIZ is sufficient. small BUFSIZ leads to
always happens errors in the testsuite. switch all these buffers
to be 4KiB sized. reported by embr <git@liclac.eu>
o fix a denial of service attack against initial request contents,
now bounded at 16KiB. reported by Justin Parrott in PR#56085
o new support for content types: .tar.bz2, .tar.xz, .tar.lz,
.tar.zst, .tbz2, .txz, .tlz, .zipx, .xz, .zst, .sz, .lz, .lzma,
.lzo, .7z, .lzo, .cab, .dmg, .jar, and .rar. should fix
netbsd PR#56026:
MIME type of .tar.xz file on ny{cdn,ftp}.NetBSD.org is invalid
o fix various NULL derefs from malformed headers. mostly from
<emily@ingalls.rocks>.
o fix memory leaks in library interface: add bozo_cleanup().
To generate a diff of this commit:
cvs rdiff -u -r1.97 -r1.98 pkgsrc/www/bozohttpd/Makefile
cvs rdiff -u -r1.76 -r1.77 pkgsrc/www/bozohttpd/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.