httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hyperreal.org
Subject cvs commit: apache-1.3/src/main http_protocol.c
Date Sun, 09 Aug 1998 16:52:32 GMT
dgaudet     98/08/09 09:52:32

  Modified:    src      CHANGES
               src/main http_protocol.c
  Log:
  - fix ben's fix to roy's patch (sizeof(l) and sizeof(field) are meaningless)
  - put my qsort fix to get_mime_headers into the repository so I don't have
  to worry about someone else screwing around in the same routine.
  
  Revision  Changes    Path
  1.1013    +3 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1012
  retrieving revision 1.1013
  diff -u -r1.1012 -r1.1013
  --- CHANGES	1998/08/09 06:37:12	1.1012
  +++ CHANGES	1998/08/09 16:52:29	1.1013
  @@ -1,5 +1,8 @@
   Changes with Apache 1.3.2
   
  +  *) SECURITY: Eliminate O(n^2) space DoS attacks (and other O(n^2)
  +     cpu time attacks) in header parsing.  [Dean Gaudet]
  +
     *) SECURITY: Added default limits for various aspects of reading a
        client request to avoid some simple denial of service attacks,
        including limits on maximum request-line size, number of header
  
  
  
  1.233     +139 -9    apache-1.3/src/main/http_protocol.c
  
  Index: http_protocol.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
  retrieving revision 1.232
  retrieving revision 1.233
  diff -u -r1.232 -r1.233
  --- http_protocol.c	1998/08/09 14:33:11	1.232
  +++ http_protocol.c	1998/08/09 16:52:31	1.233
  @@ -626,12 +626,18 @@
   
   static int read_request_line(request_rec *r)
   {
  -    char *l=alloca(r->server->limit_req_line + 2);
  -    const char *ll = l, *uri;
  +    char *l;
  +    const char *ll;
  +    const char *uri;
       conn_rec *conn = r->connection;
       int major = 1, minor = 0;   /* Assume HTTP/1.0 if non-"HTTP" protocol */
       int len;
  +    pool *tmp;
   
  +    tmp = ap_make_sub_pool(r->pool);
  +    l = ap_palloc(tmp, r->server->limit_req_line + 2);
  +    ll = l;
  +
       /* Read past empty lines until we get a real request line,
        * a read error, the connection closes (EOF), or we timeout.
        *
  @@ -647,9 +653,10 @@
        * have to block during a read.
        */
       ap_bsetflag(conn->client, B_SAFEREAD, 1);
  -    while ((len = getline(l, sizeof(l), conn->client, 0)) <= 0) {
  +    while ((len = getline(l, r->server->limit_req_line + 2, conn->client, 0))
<= 0) {
           if ((len < 0) || ap_bgetflag(conn->client, B_EOF)) {
               ap_bsetflag(conn->client, B_SAFEREAD, 0);
  +	    ap_destroy_pool(tmp);
               return 0;
           }
       }
  @@ -689,10 +696,11 @@
   
       ap_parse_uri(r, uri);
   
  -    if (len >= sizeof(l) - 1) {
  +    if (len >= r->server->limit_req_line - 1) {
           r->status    = HTTP_REQUEST_URI_TOO_LARGE;
           r->proto_num = HTTP_VERSION(1,0);
           r->protocol  = ap_pstrdup(r->pool, "HTTP/1.0");
  +	ap_destroy_pool(tmp);
           return 0;
       }
   
  @@ -705,34 +713,103 @@
       else
   	r->proto_num = HTTP_VERSION(1,0);
   
  +    ap_destroy_pool(tmp);
       return 1;
   }
   
  +/* Curse libc and the fact that it doesn't guarantee a stable sort.  We
  + * have to enforce stability ourselves by using the order field. -djg
  + */
  +typedef struct {
  +    char *key;
  +    char *val;
  +    unsigned order;
  +} mime_key;
  +
  +static int sort_mime_headers(const void *va, const void *vb)
  +{
  +    const mime_key *a = va;
  +    const mime_key *b = vb;
  +    int r;
  +
  +    r = strcasecmp(a->key, b->key);
  +    if (r) {
  +	return r;
  +    }
  +    return (signed)a->order - (signed)b->order;
  +}
  +
   static void get_mime_headers(request_rec *r)
   {
       conn_rec *c = r->connection;
  -    char *value, *copy;
  +    char *copy;
       int len;
  +    char *value;
       unsigned int fields_read = 0;
  -    char *field=alloca(r->server->limit_req_fieldsize + 2);
  +    char *field;
  +    array_header *arr;
  +    pool *tmp;
  +    mime_key *new_key;
  +    unsigned order;
  +    mime_key *first;
  +    mime_key *last;
  +    mime_key *end;
  +    char *strp;
  +
  +    /* The array will store the headers in a way that we can merge them
  +     * later in O(n*lg(n))... rather than deal with various O(n^2)
  +     * operations.
  +     */
  +    tmp = ap_make_sub_pool(r->pool);
  +    arr = ap_make_array(tmp, 50, sizeof(mime_key));
  +    order = 0;
  +
  +    field = ap_palloc(tmp, r->server->limit_req_fieldsize + 2);
  +
  +    /* If headers_in is non-empty (i.e. we're parsing a trailer) then
  +     * we have to merge.  Have I mentioned that I think this is a lame part
  +     * of the HTTP standard?  Anyhow, we'll cheat, and just pre-seed our
  +     * array with the existing headers... and take advantage of the much
  +     * faster merging here. -djg
  +     */
  +    if (!ap_is_empty_table(r->headers_in)) {
  +	array_header *t_arr;
  +	table_entry *t;
  +	table_entry *t_end;
  +
  +	t_arr = ap_table_elts(r->headers_in);
  +	t = (table_entry *)t_arr->elts;
  +	t_end = t + t_arr->nelts;
  +	while (t < t_end) {
  +	    new_key = ap_push_array(arr);
  +	    new_key->order = order++;
  +	    new_key->key = t->key;
  +	    new_key->val = t->val;
  +	    ++t;
  +	}
  +	ap_clear_table(r->headers_in);
  +    }
   
       /*
        * Read header lines until we get the empty separator line, a read error,
        * the connection closes (EOF), reach the server limit, or we timeout.
        */
  -    while ((len = getline(field, sizeof(field), c->client, 1)) > 0) {
  +    while ((len = getline(field, r->server->limit_req_fieldsize + 2,
  +			c->client, 1)) > 0) {
   
           if (++fields_read > r->server->limit_req_fields) {
               r->status = HTTP_BAD_REQUEST;
               ap_table_setn(r->notes, "error-notes",
                   "Number of request header fields exceeds server limit.<P>\n");
  +	    ap_destroy_pool(tmp);
               return;
           }
  -        if (len >= sizeof(field) - 1) { 
  +        if (len >= r->server->limit_req_fieldsize + 1) { 
               r->status = HTTP_BAD_REQUEST;
               ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
                   "Size of a request header field exceeds server limit.<P>\n"
                   "<PRE>\n", field, "</PRE>\n", NULL));
  +	    ap_destroy_pool(tmp);
               return;
           }
           copy = ap_palloc(r->pool, len + 1);
  @@ -743,6 +820,7 @@
               ap_table_setn(r->notes, "error-notes", ap_pstrcat(r->pool,
                   "Request header field is missing colon separator.<P>\n"
                   "<PRE>\n", copy, "</PRE>\n", NULL));
  +	    ap_destroy_pool(tmp);
               return;
           }
   
  @@ -752,9 +830,61 @@
               ++value;            /* Skip to start of value   */
   
   	/* XXX: should strip trailing whitespace as well */
  +
  +	/* Notice that key and val are actually in r->pool... this is a slight
  +	 * optimization to handle the normal case, where we don't have twits
  +	 * trying to exploit the server.  In the abnormal case where twits are
  +	 * trying to exploit the server by causing it to do header merging
  +	 * and other such nonsense we consume twice as much memory as we
  +	 * could optimally.  Oh well.  -djg
  +	 */
  +	new_key = ap_push_array(arr);
  +	new_key->order = order++;
  +	new_key->key = copy;
  +	new_key->val = value;
  +    }
  +
  +    /* Now we have to merge headers. */
  +    qsort(arr->elts, arr->nelts, sizeof(mime_key), sort_mime_headers);
   
  -        ap_table_mergen(r->headers_in, copy, value);
  +    /* Now iterate over the array and build r->headers_in. */
  +    first = (mime_key *)arr->elts;
  +    end = first + arr->nelts;
  +    while (first < end) {
  +	last = first + 1;
  +	if (last == end
  +	    || strcasecmp(first->key, last->key)) {
  +	    ap_table_addn(r->headers_in, first->key, first->val);
  +	    first = last;
  +	}
  +	else {
  +	    /* Have to merge some headers.  Let's re-use the order field,
  +	     * since it's handy... we'll store the length of val there.
  +	     */
  +	    first->order = strlen(first->val);
  +	    len = first->order;
  +	    do {
  +		last->order = strlen(last->val);
  +		len += 2 + last->order;
  +		++last;
  +	    } while (last < end
  +		    && !strcasecmp(first->key, last->key));
  +	    /* last points one past the last header to merge */
  +	    value = ap_palloc(r->pool, len + 1);
  +	    strp = value;
  +	    for (;;) {
  +		memcpy(strp, first->val, first->order);
  +		strp += first->order;
  +		++first;
  +		if (first == last) break;
  +		*strp++ = ',';
  +		*strp++ = ' ';
  +	    }
  +	    *strp = 0;
  +	    ap_table_addn(r->headers_in, (first-1)->key, value);
  +	}
       }
  +    ap_destroy_pool(tmp);
   }
   
   request_rec *ap_read_request(conn_rec *conn)
  
  
  

Mime
View raw message