1. Team Midas Avatar Team Midas
  2. MIDAS
  3. midas
  4. Issues

mhttpd denial of service if request contains null byte

Issue #129 resolved
Ben Smith created an issue

If mhttpd tries to handle posted data that contains a null byte, it will spin forever in decode_post. That thread has the request_mutex, so no other requests can be processed until mhttpd is restarted.

The root cause of the bug seems to be deep in the mongoose parsing of the request. However, it is possible for mhttpd to detect the problem, and quickly return. My suggested solution is to change the end of handle_http_message to:

   if (msg->body.p && strlen(msg->body.p) < msg->body.len) {
      if (trace_mg||verbose_mg)
         printf("handle_http_message: Bad body length\n");
   } else if (method == "GET")
      response_sent = handle_http_get(nc, msg, uri.c_str(), t);
   else if (method == "POST")
      response_sent = handle_http_post(nc, msg, uri.c_str(), t);

This will result in a 501 being returned.

We found this issue due to a bad bot (seemingly from China) which searches for exploits.

A minimal example is curl -X POST http://midas.url:port --form "bad_field=<bad_data.txt", where bad_data.txt is attached (and contains a null byte in the middle of some text).

Comments (1)

  1. Stefan Ritt

    Thanks Ben, I appreciate bug reports with proposed fixes. Actually the loop is not in the mongoose part but in the midas decode_post() routine. So I first fixed the loop there, and second applied your patch, which I think is anyhow a good check also for other kind of mis-formed request. So thanks again!

  2. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
3
Jira: the preferred issue tracker for Bitbucket. Join the team!