[libsoup] add limit on maximum header size to avoid DOS (bug #792173)

From: Claudio Saavedra <csaavedra src gnome org>
To: commits-list gnome org
Cc:
Subject: [libsoup] add limit on maximum header size to avoid DOS (bug #792173)
Date: Fri, 9 Feb 2018 14:42:50 +0000 (UTC)

commit f33de90ae9af9e340198ed2eead1f9cfb1793fd2
Author: Michele Dionisio <michele dionisio gmail com>
Date:   Sat Jan 6 12:03:48 2018 +0100

    add limit on maximum header size to avoid DOS (bug #792173)
    
    Signed-off-by: Michele Dionisio <michele dionisio gmail com>

 libsoup/soup-message-io.c |    9 +++++++++
 tests/misc-test.c         |   33 +++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 0 deletions(-)
---
diff --git a/libsoup/soup-message-io.c b/libsoup/soup-message-io.c
index fb505fa..3a7d735 100644
--- a/libsoup/soup-message-io.c
+++ b/libsoup/soup-message-io.c
@@ -94,6 +94,7 @@ typedef struct {
 static void io_run (SoupMessage *msg, gboolean blocking);
 
 #define RESPONSE_BLOCK_SIZE 8192
+#define HEADER_SIZE_LIMIT (64 * 1024)
 
 void
 soup_message_io_cleanup (SoupMessage *msg)
@@ -254,6 +255,14 @@ read_headers (SoupMessage *msg, gboolean blocking,
                                break;
                        }
                }
+
+               if (io->read_header_buf->len > HEADER_SIZE_LIMIT) {
+                       soup_message_set_status (msg, SOUP_STATUS_MALFORMED);
+                       g_set_error_literal (error, G_IO_ERROR,
+                                            G_IO_ERROR_PARTIAL_INPUT,
+                                            _("Header too big"));
+                       return FALSE;
+               }
        }
 
        io->read_header_buf->data[io->read_header_buf->len] = '\0';
diff --git a/tests/misc-test.c b/tests/misc-test.c
index 6d43bd7..8cbda80 100644
--- a/tests/misc-test.c
+++ b/tests/misc-test.c
@@ -120,6 +120,38 @@ do_host_test (void)
        g_object_unref (two);
 }
 
+/* request with too big header should be discarded with a IO error to 
+ * prevent DOS attacks.
+ */
+static void
+do_host_big_header (void)
+{
+       SoupMessage *msg;
+       SoupSession *session;
+       int i;
+
+       g_test_bug ("792173");
+
+       session = soup_test_session_new (SOUP_TYPE_SESSION_SYNC, NULL);
+
+       msg = soup_message_new_from_uri ("GET", base_uri);
+       for (i = 0; i < 2048; i++) {
+               char *key = g_strdup_printf ("test-long-header-key%d", i);
+               char *value = g_strdup_printf ("test-long-header-key%d", i);
+               soup_message_headers_append (msg->request_headers, key, value);
+               g_free (value);
+               g_free (key);
+       }
+
+       soup_session_send_message (session, msg);
+
+       soup_test_session_abort_unref (session);
+
+       soup_test_assert_message_status (msg, SOUP_STATUS_IO_ERROR);
+
+       g_object_unref (msg);
+}
+
 /* Dropping the application's ref on the session from a callback
  * should not cause the session to be freed at an incorrect time.
  * (This test will crash if it fails.)
@@ -1182,6 +1214,7 @@ main (int argc, char **argv)
                ssl_base_uri = soup_test_server_get_uri (ssl_server, "https", "127.0.0.1");
        }
 
+       g_test_add_func ("/misc/bigheader", do_host_big_header);
        g_test_add_func ("/misc/host", do_host_test);
        g_test_add_func ("/misc/callback-unref/msg", do_callback_unref_test);
        g_test_add_func ("/misc/callback-unref/req", do_callback_unref_req_test);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]