httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lazy <lazy...@gmail.com>
Subject Re: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 13:56:06 GMT
2011/8/23 Lazy <lazy404@gmail.com>:
> 2011/8/23 Stefan Fritsch <sf@sfritsch.de>:
>> http://seclists.org/fulldisclosure/2011/Aug/175
>>
>> I haven't looked into it so far. And I am not sure I will have time today.
>>
>
> it is sending HEAD requests with lots of  ranges
> HEAD / HTTP/1.1
> Host: xxxx
> Range:bytes=0-,5-1,5-2,5-3,.....
>
> the code in
> ap_byterange_filter()
> http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
> creates a bucket for every range element,
>
> the number of buckets is limited by the size of the document in
> published code but I think it can be enchanced by
> using 1-2,1-3,..1-doc_size,2-1,2-2, 2-doc_size
>
> doeas Range in HEAD request have any sense at all ?

quick fix bellow made it immune to this dos

diff -ru modules/http/byterange_filter.c.org
modules/http/byterange_filter.c |less
--- byterange_filter.c  2011-02-13 15:32:19.000000000 +0100
+++ modules/http/byterange_filter.c     2011-08-23 15:54:37.000000000 +0200
@@ -320,6 +320,7 @@
     const char *if_range;
     const char *match;
     const char *ct;
+    char * tmp;
     int num_ranges;

     if (r->assbackwards) {
@@ -373,14 +374,13 @@
         }
     }

-    if (!ap_strchr_c(range, ',')) {
-        /* a single range */
-        num_ranges = 1;
-    }
-    else {
-        /* a multiple range */
-        num_ranges = 2;
-    }
+    /* count ranges, exit if more then 10 */
+    tmp=range+6;
+    num_ranges=1;
+    while(*++tmp)
+        if(*tmp == ',')
+           if(++num_ranges > 10)
+               return 0;

     r->status = HTTP_PARTIAL_CONTENT;
     r->range = range + 6;

Mime
View raw message