bin/56085: One can kind of run away with memory as bozodgetln grows a buffer to infinity

[parrottjustin16%gmail.com@localhost]

>Number:         56085
>Category:       bin
>Synopsis:       One can kind of run away with memory as bozodgetln grows a buffer to infinity
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 30 09:00:00 +0000 2021
>Originator:     Justin Parrott
>Release:        current
>Organization:
independent
>Environment:
NetBSD 9.99.81 NetBSD 9.99.81 (GENERIC) #0: Mon Mar 29 02:32:22 UTC 2021  root@localhost:/usr/src/sys/arch/amd64/compile/obj/GENERIC amd64
>Description:
bozodgetln grows a buffer to infinity.  This appears to be limited by httpd->header_timeout (off by default).
>How-To-Repeat:
{ stty -icanon; { printf "GET / HTTP/1.1\r\n"; while true; do printf a; done; } |nc localhost 80; }
>Fix:
Patch below - minimally tested against running the daemon out of inetd.  Also, users should impose a header timeout.

Index: bozohttpd.c
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.c,v
retrieving revision 1.128
diff -r1.128 bozohttpd.c
859a860,864
> 	if (!str) {
> 		bozo_http_error(httpd, 400, request, "bad headers");
> 		goto cleanup;
> 	}
> 
2409a2415,2424
> 			if (BOZO_HEADERS_MAX_LINESIZE &&
> 			    httpd->getln_buflen > BOZO_HEADERS_MAX_LINESIZE) {
> 				debug((httpd, DEBUG_EXPLODING, "bozodgetln: "
> 				    "header line exceeds %d bytes",
> 				    BOZO_HEADERS_MAX_LINESIZE));
> 				free(httpd->getln_buffer);
> 				httpd->getln_buflen = 0;
> 				return NULL;
> 			}
> 
Index: bozohttpd.h
===================================================================
RCS file: /cvsroot/src/libexec/httpd/bozohttpd.h,v
retrieving revision 1.68
diff -r1.68 bozohttpd.h
229a230,232
> /* header lines can be this long.  0 for infinity */
> #define BOZO_HEADERS_MAX_LINESIZE (2 * 1024)
>