diff options
author | Christian Grothoff <christian@grothoff.org> | 2023-02-26 17:51:24 +0100 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2023-02-26 17:51:39 +0100 |
commit | 6d6846e20bfdf4b3eb1b592c97520a532f724238 (patch) | |
tree | 7e7c4d5d3954bd72abfa0d39c4ab56845398fa17 | |
parent | 08f933a6ad2138ad0fad86496eb3ba88eaf3f173 (diff) | |
download | libmicrohttpd-6d6846e20bfdf4b3eb1b592c97520a532f724238.tar.gz libmicrohttpd-6d6846e20bfdf4b3eb1b592c97520a532f724238.zip |
fix parser bug that could be used to crash servers using the MHD_PostProcessor
-rw-r--r-- | ChangeLog | 14 | ||||
-rw-r--r-- | src/microhttpd/postprocessor.c | 2 |
2 files changed, 10 insertions, 6 deletions
@@ -1,3 +1,7 @@ | |||
1 | Sun Feb 26 05:49:30 PM CET 2023 | ||
2 | Fix potential DoS vector in MHD_PostProcessor discovered | ||
3 | by Gynvael Coldwind and Dejan Alvadzijevic. -CG | ||
4 | |||
1 | Sun 26 Dec 2021 20:30:00 MSK | 5 | Sun 26 Dec 2021 20:30:00 MSK |
2 | Releasing GNU libmicrohttpd 0.9.75 -EG | 6 | Releasing GNU libmicrohttpd 0.9.75 -EG |
3 | 7 | ||
@@ -23,7 +27,7 @@ December 2021 | |||
23 | Some code improvements for new test test_client_put_stop. | 27 | Some code improvements for new test test_client_put_stop. |
24 | Added special log message if thread creation failed due to system limits. | 28 | Added special log message if thread creation failed due to system limits. |
25 | Fully restructured new_connection_process_() to correctly handle errors, | 29 | Fully restructured new_connection_process_() to correctly handle errors, |
26 | fixed missing decrement of number of daemon connections if any error | 30 | fixed missing decrement of number of daemon connections if any error |
27 | encountered, fixed app notification of connection termination when app has | 31 | encountered, fixed app notification of connection termination when app has |
28 | not been notified about connection start, fixed (highly unlikely) reset of | 32 | not been notified about connection start, fixed (highly unlikely) reset of |
29 | the list of connections if reached daemon's connections limit. | 33 | the list of connections if reached daemon's connections limit. |
@@ -67,7 +71,7 @@ November 2021 | |||
67 | for testing of MHD. | 71 | for testing of MHD. |
68 | Renamed 'early_response' connection flag to 'discard_request' and reworked | 72 | Renamed 'early_response' connection flag to 'discard_request' and reworked |
69 | handling of connection's flags. | 73 | handling of connection's flags. |
70 | Clarified request termination reasons doxy, fixed reporting of | 74 | Clarified request termination reasons doxy, fixed reporting of |
71 | MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used | 75 | MHD_REQUEST_TERMINATED_READ_ERROR (previously this code was not really used |
72 | in reporting). | 76 | in reporting). |
73 | Enforce all libcurl tests exit code to be zero or one. | 77 | Enforce all libcurl tests exit code to be zero or one. |
@@ -76,7 +80,7 @@ November 2021 | |||
76 | of the last LF in termination chunk, handle correctly chunk sizes with more | 80 | of the last LF in termination chunk, handle correctly chunk sizes with more |
77 | than 16 digits (leading zeros are valid according to HTTP RFC), fixed | 81 | than 16 digits (leading zeros are valid according to HTTP RFC), fixed |
78 | handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report | 82 | handling of CRCR, LFCR, LFLF, and bare CR as single line delimiters, report |
79 | error when invalid chunk format is received without waiting to receive | 83 | error when invalid chunk format is received without waiting to receive |
80 | (possibly missing) end of the line, reply to the client with special error | 84 | (possibly missing) end of the line, reply to the client with special error |
81 | if chunk size is too large to be handled by MHD (>16 EiB). | 85 | if chunk size is too large to be handled by MHD (>16 EiB). |
82 | Added error reply if client used too large request payload (>16 EiB). | 86 | Added error reply if client used too large request payload (>16 EiB). |
@@ -92,7 +96,7 @@ October 2021 | |||
92 | Added test family test_toolarge to check correct handling of the buffers | 96 | Added test family test_toolarge to check correct handling of the buffers |
93 | when the size of data is larger than free space. | 97 | when the size of data is larger than free space. |
94 | Fixed missing updated of read and write buffers sizes. | 98 | Fixed missing updated of read and write buffers sizes. |
95 | Added detection and use of supported "noreturn" keyword for function | 99 | Added detection and use of supported "noreturn" keyword for function |
96 | declaration. It should help compiler and static analyser. | 100 | declaration. It should help compiler and static analyser. |
97 | Added support for leak sanitizer. | 101 | Added support for leak sanitizer. |
98 | Fixed analyser errors on W32. | 102 | Fixed analyser errors on W32. |
@@ -290,7 +294,7 @@ June 2021 | |||
290 | used for the next request data. | 294 | used for the next request data. |
291 | Fixed completely broken calculation of request header size. | 295 | Fixed completely broken calculation of request header size. |
292 | Chunked response: do not ask app callback for more data then | 296 | Chunked response: do not ask app callback for more data then |
293 | it is possible to process (more than 16 MBytes). | 297 | it is possible to process (more than 16 MBytes). |
294 | Check and report if app used wrong response code (>999 or <100) | 298 | Check and report if app used wrong response code (>999 or <100) |
295 | Refuse to add second "Transfer-Encoding" header. | 299 | Refuse to add second "Transfer-Encoding" header. |
296 | HTTPS tests: check whether all libcurl function succeeded. | 300 | HTTPS tests: check whether all libcurl function succeeded. |
diff --git a/src/microhttpd/postprocessor.c b/src/microhttpd/postprocessor.c index 99074215..c00605c7 100644 --- a/src/microhttpd/postprocessor.c +++ b/src/microhttpd/postprocessor.c | |||
@@ -83,7 +83,7 @@ MHD_create_post_processor (struct MHD_Connection *connection, | |||
83 | return NULL; /* failed to determine boundary */ | 83 | return NULL; /* failed to determine boundary */ |
84 | boundary += MHD_STATICSTR_LEN_ ("boundary="); | 84 | boundary += MHD_STATICSTR_LEN_ ("boundary="); |
85 | blen = strlen (boundary); | 85 | blen = strlen (boundary); |
86 | if ( (blen == 0) || | 86 | if ( (blen < 2) || |
87 | (blen * 2 + 2 > buffer_size) ) | 87 | (blen * 2 + 2 > buffer_size) ) |
88 | return NULL; /* (will be) out of memory or invalid boundary */ | 88 | return NULL; /* (will be) out of memory or invalid boundary */ |
89 | if ( (boundary[0] == '"') && | 89 | if ( (boundary[0] == '"') && |