Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content-Length if not given defaults to a large number of bytes making the server to wait for any data #2787

Closed
michaelrsweet opened this issue Apr 7, 2008 · 3 comments
Milestone

Comments

@michaelrsweet
Copy link
Collaborator

Version: 1.3-current
CUPS.org User: rahulmode

Tested on both

CUPS-1.1.23 and
CUPS-1.3.7

Content-Length, if not given defaults to 2147483647 Bytes making the server wait for that many number of bytes.

The exploit scenario:

If the user connects the server using "nc" on which he is allowed to use post method request and sends a request without stating the Content-Length value then the server waits for 2147483647 Bytes or time-out whichever is earlier.

Now if an attacker connects with max-clients-allowed to the server and sends this request from each client
then the SERVER may possibly go into DOS !!

Ex Exploit:

nc cups_server 631

   POST /printers/ HTTP/1.1
   Content-Length: 
   \n\n 

    < other data > 

-- BY Rahul Mode ( rahulmode@gmail.com )

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Reassigned to 1.3.x as a priority 2 bug...

@michaelrsweet
Copy link
Collaborator Author

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet
Copy link
Collaborator Author

"str2787.patch":

Index: scheduler/client.c

--- scheduler/client.c (revision 7434)
+++ scheduler/client.c (working copy)
@@ -1450,7 +1450,9 @@

      break;
         }
  •   else if (con->http.data_remaining < 0)
    
  •   else if (con->http.data_remaining < 0 ||
    
  •            (!con->http.fields[HTTP_FIELD_CONTENT_LENGTH][0] &&
    
  •         con->http.data_encoding == HTTP_ENCODE_LENGTH))
    {
     /*
      \* Negative content lengths are invalid!
    

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant