Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6A7B6100B2 for ; Mon, 18 Nov 2013 14:19:31 +0000 (UTC) Received: (qmail 67574 invoked by uid 500); 18 Nov 2013 14:19:30 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 66386 invoked by uid 500); 18 Nov 2013 14:19:27 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 66257 invoked by uid 99); 18 Nov 2013 14:19:26 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 18 Nov 2013 14:19:26 +0000 Date: Mon, 18 Nov 2013 14:19:26 +0000 (UTC) From: "Sergey Beryozkin (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Resolved] (CXF-5390) AbstractSamlBase64InHandler goes into infinite loop when processing bad header value. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-5390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergey Beryozkin resolved CXF-5390. ----------------------------------- Resolution: Fixed Fix Version/s: 2.6.11 2.7.8 3.0.0 Assignee: Sergey Beryozkin Thanks for reporting it and actually identifying the source of the problem. > AbstractSamlBase64InHandler goes into infinite loop when processing bad header value. > ------------------------------------------------------------------------------------- > > Key: CXF-5390 > URL: https://issues.apache.org/jira/browse/CXF-5390 > Project: CXF > Issue Type: Bug > Affects Versions: 2.7.3 > Environment: Linux or Mac, Karaf 2.3.1 container, CXF 2.7.3 > Reporter: Dario Amiri > Assignee: Sergey Beryozkin > Priority: Critical > Fix For: 3.0.0, 2.7.8, 2.6.11 > > > Let's say I protect my JAX-RS service using SamlHeaderInHandler. The service expects me to include a valid deflate encoded (compressed) then base 64 encoded token in the Authorization of my RESTful call like this: > SAML > However if instead of inserting a token, I insert the following string "invalid_grant" in the Authrorization header like so: > SAML invalid_grant > The following will happen: > 1. SamlHeaderInHandler splits the header into it's two parts and sends what it thinks is the assertion (the "invalid_grant" string) AbstractSamlBase64InHandler.handleToken > 2. AbstractSamlBase64InHandler.handleToken first base 64 decodes the string. This completes with no error. > 3. AbstractSamlBase64InHandler.handleToken then tries to inflate the assertion. > It is during this last step that CXF goes into an infinite loop. Here is the code involved: > while (!inflater.finished()) { > inputLen = inflater.inflate(input); > if (!inflater.finished()) { > inflatedToken = new byte[input.length + inflatedLen]; > System.arraycopy(input, 0, inflatedToken, inflatedLen, inputLen); > inflatedLen += inputLen; > } > } > When the input is the following byte array: > [94, -27, -122, 110, 16, 59, 41, 43, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] > (which is the result from base 64 decoding the string "invalid_grant") > The loop never breaks because the test inflater.finished() is never true even if inputLen is 0. Thus the service hangs indefinitely. > I am classifying this as Critical because, essentially, by crafting a certain type of request, I can execute a denial of service attack against the service. -- This message was sent by Atlassian JIRA (v6.1#6144)