Return-Path: X-Original-To: apmail-httpd-bugs-archive@www.apache.org Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6270F1740E for ; Wed, 13 May 2015 18:58:57 +0000 (UTC) Received: (qmail 42162 invoked by uid 500); 13 May 2015 18:58:57 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 42120 invoked by uid 500); 13 May 2015 18:58:57 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 42111 invoked by uid 99); 13 May 2015 18:58:56 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 May 2015 18:58:56 +0000 Received: from asf-bz1-us-mid.priv.apache.org (nat1-us-mid.apache.org [23.253.172.122]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPS id BFF6A1A2FAC for ; Wed, 13 May 2015 18:58:56 +0000 (UTC) Received: by asf-bz1-us-mid.priv.apache.org (ASF Mail Server at asf-bz1-us-mid.priv.apache.org, from userid 33) id C5C5860956; Wed, 13 May 2015 18:58:55 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 57832] Reduction of response splitting attacks consequences in mod_proxy Date: Wed, 13 May 2015 18:58:55 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_proxy X-Bugzilla-Version: 2.4.12 X-Bugzilla-Keywords: X-Bugzilla-Severity: enhancement X-Bugzilla-Who: regis.leroy@makina-corpus.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bz.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 https://bz.apache.org/bugzilla/show_bug.cgi?id=57832 --- Comment #7 from regilero --- I made some tests with the last patch, on top of r1656259 's patch. If the extra content injected after the 1st response is less than 8000 bytes (more or less) I get 1 for the return of is_socket_connected instead of 2 (USE_ALTERNATE_IS_CONNECTED && defined(APR_MSG_PEEK version). Not always, the attack succeed at 90%. With a big injected response the socket read is not empty and is_socket_connected is detecting this fact, but I do not get any response (no 502/503/400, just an RST). So it means the real socket is empty (tested it with real reads and timeouts), but something as already stored this extra content and this storage is associated with the socket. So quite certainly something like some buckets which are not cleaned up after the 1st request. Note that this is hiding a potential problem that I had to fix on the 1st patch with backends sending one extra \r\n after the first response. But I think the final solution will have to mix this is_socket_connected and a real cleanup of all data read from the socket while processing the first response. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org