- changed status to resolved
mhttpd denial of service if request contains null byte
Issue #129
resolved
If mhttpd tries to handle posted data that contains a null byte, it will spin forever in decode_post
. That thread has the request_mutex
, so no other requests can be processed until mhttpd is restarted.
The root cause of the bug seems to be deep in the mongoose parsing of the request. However, it is possible for mhttpd to detect the problem, and quickly return. My suggested solution is to change the end of handle_http_message
to:
if (msg->body.p && strlen(msg->body.p) < msg->body.len) {
if (trace_mg||verbose_mg)
printf("handle_http_message: Bad body length\n");
} else if (method == "GET")
response_sent = handle_http_get(nc, msg, uri.c_str(), t);
else if (method == "POST")
response_sent = handle_http_post(nc, msg, uri.c_str(), t);
This will result in a 501 being returned.
We found this issue due to a bad bot (seemingly from China) which searches for exploits.
A minimal example is curl -X POST http://midas.url:port --form "bad_field=<bad_data.txt"
, where bad_data.txt is attached (and contains a null byte in the middle of some text).
Comments (1)
-
- Log in to comment
Thanks Ben, I appreciate bug reports with proposed fixes. Actually the loop is not in the mongoose part but in the midas decode_post() routine. So I first fixed the loop there, and second applied your patch, which I think is anyhow a good check also for other kind of mis-formed request. So thanks again!