libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] bad request chrashes daemon


From: Christian Grothoff
Subject: Re: [libmicrohttpd] bad request chrashes daemon
Date: Wed, 26 Mar 2008 08:51:17 -0600
User-agent: KMail/1.9.7

You are right.  Fixed in SVN 6626 with the following patch (I think it is best 
to "tolerate" this kind of malformed request by ignoring the "abc" input 
instead of closing the connection or being unfriendly in some other fashion). 
Now, the code will kill the connection if there are multiple lines of bad 
input like that (before the end of the header).  

I guess what we should do is send an HTTP 400 Bad Request response, but that 
patch will be a bit longer. I'll look into doing something along those lines 
later today.

Christian

Index: connection.c
===================================================================
--- connection.c        (revision 6619)
+++ connection.c        (working copy)
@@ -1220,8 +1220,10 @@
       connection->last = last;
       return;                   /* possibly more than 2 lines... */
     }
-  if (MHD_NO == connection_add_header (connection,
-                                       last, connection->colon, kind))
+  if ( (last != NULL) &&
+       (connection->colon != NULL) &&
+       (MHD_NO == connection_add_header (connection,
+                                        last, connection->colon, kind)) )
     {
       excessive_data_handler (connection, MHD_HTTP_REQUEST_ENTITY_TOO_LARGE);
       return;

Christian

On Wednesday 26 March 2008, Sebastian Gerhardt wrote:
> Hello MHD developers,
>
> I am not sure whether this is a bug in the library or
> the application bears responsibility for this, but a misbehaving client
> is able to chrash the daemon.
> I have tried version 2.2 and 2.3, compiled and ran it on Debian Etch x86
> without libcurl.
>
> I can reproduce this with your minimal_example:
> 1.$ ./minimal_example 8000 50
> 2.$ telnet localhost
>
>   >GET / <enter>
>   >abc<enter>
>
>   <enter>
>
> Output:
> `MHD_connection_handle_idle' in state 1
> Received malformed line (no colon), closing connection.
> `MHD_connection_handle_idle' in state 2
> `MHD_connection_handle_idle' in state 2
> `MHD_connection_handle_idle' in state 3
> segmentation fault
>
>
> I think this is because the library tries parsing for cookies in the
> header. When the function MHD_lookup_connection_value in connection.c is
> reached, he does a strcasecmp (key, pos->header) but pos->header is NULL
> at this point.
>
>
> regards
> Sebastian
>
> _______________________________________________
> libmicrohttpd mailing list
> address@hidden
> http://crisp.cs.du.edu/cgi-bin/mailman/listinfo/libmicrohttpd




reply via email to

[Prev in Thread] Current Thread [Next in Thread]