Range-Bug



Hello,

because bugzilla.gnome.org doesn't load for me rightnow, I will post it
here.
While I'm happy that libsoup handles range requests automatically, I
found out that invalid range requests lead to an integer overflow in
Content-Lenght.

Reproduce:

printf "GET / HTTP/1.0\r\n\r\n" |nc localhost 8000
printf "GET / HTTP/1.0\r\nRange: bytes=0-\r\n\r\n" |nc localhost 8000
printf "GET / HTTP/1.0\r\nRange: bytes=4-\r\n\r\n" |nc localhost 8000
printf "GET / HTTP/1.0\r\nRange: bytes=5-\r\n\r\n" |nc localhost 8000
printf "GET / HTTP/1.0\r\nRange: bytes=6-\r\n\r\n" |nc localhost 8000
printf "GET / HTTP/1.0\r\nRange: bytes=7-\r\n\r\n" |nc localhost 8000

On this small server:

#!/usr/bin/env python3
from gi.repository import Soup, GObject
import signal

def w(server, msg, path, query, clientContext, userdata):
  msg.set_status(200)
  msg.set_response("text/html", Soup.MemoryUse.COPY,"hallo".encode())
g = Soup.Server(port=8000)
g.add_handler("", w, None)
signal.signal(signal.SIGINT, signal.SIG_DFL)
g.run()

Leads to these answers:

HTTP/1.0 200 OK
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Length: 5

hallo
---
HTTP/1.0 206 Partial Content
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Range: bytes 0-4/5
Content-Length: 5

hallo
---
HTTP/1.0 206 Partial Content
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Range: bytes 4-4/5
Content-Length: 1

o
---
HTTP/1.0 206 Partial Content
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Range: bytes 5-4/5
Content-Length: 0

---
HTTP/1.0 206 Partial Content
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Range: bytes 6-4/5
Content-Length: 18446744073709551615

---
HTTP/1.0 206 Partial Content
Server: libsoup/2.42.2
Date: Tue, 30 Jul 2013 16:40:36 GMT
Content-Type: text/html
Content-Range: bytes 7-4/5
Content-Length: 18446744073709551614


And some two assertions failing:
(process:31829): libsoup-CRITICAL **: soup_message_body_append_buffer:
assertion `buffer->length > 0' failed
(process:31829): libsoup-CRITICAL **: soup_message_body_append_buffer:
assertion `buffer->length > 0' failed

Of course the response behavior for unnormal requests is not easy to
discuss, but at least Content-Lenght and Content-Range are somehow wrong.

Thanks for reading,

Kai


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]