NetBSD Problem Report #56085

From www@netbsd.org  Tue Mar 30 08:59:05 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C6F1F1A9217
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 30 Mar 2021 08:59:05 +0000 (UTC)
Message-Id: <20210330085904.39A1B1A921F@mollari.NetBSD.org>
Date: Tue, 30 Mar 2021 08:59:04 +0000 (UTC)
From: parrottjustin16@gmail.com
Reply-To: parrottjustin16@gmail.com
To: gnats-bugs@NetBSD.org
Subject: One can kind of run away with memory as bozodgetln grows a buffer to infinity
X-Send-Pr-Version: www-1.0

>Number:         56085
>Category:       bin
>Synopsis:       One can kind of run away with memory as bozodgetln grows a buffer to infinity
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    mrg
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 30 09:00:00 +0000 2021
>Last-Modified:  Sun Apr 04 18:15:01 +0000 2021
>Originator:     Justin Parrott
>Release:        current
>Organization:
independent
>Environment:
NetBSD 9.99.81 NetBSD 9.99.81 (GENERIC) #0: Mon Mar 29 02:32:22 UTC 2021  root@localhost:/usr/src/sys/arch/amd64/compile/obj/GENERIC amd64
>Description:
bozodgetln grows a buffer to infinity.  This appears to be limited by httpd->header_timeout (off by default).
>How-To-Repeat:
{ stty -icanon; { printf "GET / HTTP/1.1\r\n"; while true; do printf a; done; } |nc localhost 80; }
>Fix:
Patch below - minimally tested against running the daemon out of inetd.  Also, users should impose a header timeout.

Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.128
diff -r1.128 bozohttpd.c
859a860,864
> 	if (!str) {
> 		bozo_http_error(httpd, 400, request, "bad headers");
> 		goto cleanup;
> 	}
> 
2409a2415,2424
> 			if (BOZO_HEADERS_MAX_LINESIZE &&
> 			    httpd->getln_buflen > BOZO_HEADERS_MAX_LINESIZE) {
> 				debug((httpd, DEBUG_EXPLODING, "bozodgetln: "
> 				    "header line exceeds %d bytes",
> 				    BOZO_HEADERS_MAX_LINESIZE));
> 				free(httpd->getln_buffer);
> 				httpd->getln_buflen = 0;
> 				return NULL;
> 			}
> 
Index: bozohttpd.h
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.h,v
retrieving revision 1.68
diff -r1.68 bozohttpd.h
229a230,232
> /* header lines can be this long.  0 for infinity */
> #define BOZO_HEADERS_MAX_LINESIZE (2 * 1024)
> 

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: bin-bug-people->mrg
Responsible-Changed-By: mrg@NetBSD.org
Responsible-Changed-When: Sat, 03 Apr 2021 23:18:12 +0000
Responsible-Changed-Why:
i'll fix it.


From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org, parrottjustin16@gmail.com
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: bin/56085: One can kind of run away with memory as bozodgetln grows a buffer to infinity
Date: Sun, 04 Apr 2021 09:29:12 +1000

 > >Description:
 > bozodgetln grows a buffer to infinity. =


 indeed it does.  thanks for the report.

 > This appears to be limited by httpd->header_timeout (off by default).

 this should be 10 seconds:

 #define HEADER_WAIT_TIME        "10"    /* need more headers every 10 seco=
 nds */

         if (!bozo_set_pref(httpd, prefs, "header timeout", HEADER_WAIT_TIM=
 E))

 and then

         if ((cp =3D bozo_get_pref(prefs, "header timeout")) !=3D NULL) {
 		httpd->header_timeout =3D atoi(cp);

 so if you're not seeing timeouts either from the initial connection
 (should be 30s) or any time after this for headers at 10s, there is
 something happening i'm not seeing here.  eg, if i connect and do
 nothing, timeout after 30s, if i connect and only give it a non 0.9
 request, so it is waiting for headers, disconnect 10s later.

 > Patch below - minimally tested against running the daemon out of inetd. =
  Also, users should impose a header timeout.

 i'm re-using the existing value for BOZO_HEADERS_MAX_SIZE for
 the request as well, rather than adding another value.  it
 has a default of 16KB.

 i don't understand the first chunk here:

 > Index: bozohttpd.c
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
 > retrieving revision 1.128
 > diff -r1.128 bozohttpd.c
 > 859a860,864
 > > 	if (!str) {
 > > 		bozo_http_error(httpd, 400, request, "bad headers");
 > > 		goto cleanup;
 > > 	}
 > > =


 what is this trying to fix?  it's not invalid for there to be
 nothing left here is it?

 thanks.


 .mrg.

 ps: please use 'diff -pu' (or at least 'diff -pc').

From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@netbsd.org
Cc: gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: re: bin/56085: One can kind of run away with memory as bozodgetln grows a buffer to infinity
Date: Sun, 04 Apr 2021 09:37:43 +1000

 > Index: bozohttpd.c
 > ===================================================================
 > RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
 > retrieving revision 1.128
 > diff -r1.128 bozohttpd.c
 > 859a860,864
 > > 	if (!str) {
 > > 		bozo_http_error(httpd, 400, request, "bad headers");
 > > 		goto cleanup;
 > > 	}

 ah, this chunk makes the "return NULL" from the following chunk
 work.  that's it's own problem.  there needs to be "nothing"
 vs "error" cases here.


 .mrg.

From: "matthew green" <mrg@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/56085 CVS commit: src/libexec/httpd
Date: Sun, 4 Apr 2021 18:14:27 +0000

 Module Name:	src
 Committed By:	mrg
 Date:		Sun Apr  4 18:14:27 UTC 2021

 Modified Files:
 	src/libexec/httpd: CHANGES bozohttpd.c

 Log Message:
 avoid DoS in initial request size, which is now bounded at 16KiB.
 reported by Justin Parrott in PR#56085.


 To generate a diff of this commit:
 cvs rdiff -u -r1.47 -r1.48 src/libexec/httpd/CHANGES
 cvs rdiff -u -r1.128 -r1.129 src/libexec/httpd/bozohttpd.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.