[src/trunk]: src/libexec/httpd avoid DoS in initial request size, which is no...

[mrg <mrg%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/178cc01f8373
branches:  trunk
changeset: 954308:178cc01f8373
user:      mrg <mrg%NetBSD.org@localhost>
date:      Sun Apr 04 18:14:26 2021 +0000

description:
avoid DoS in initial request size, which is now bounded at 16KiB.
reported by Justin Parrott in PR#56085.

diffstat:

 libexec/httpd/CHANGES     |   6 +++++-
 libexec/httpd/bozohttpd.c |  23 +++++++++++++++--------
 2 files changed, 20 insertions(+), 9 deletions(-)

diffs (85 lines):

diff -r 304186a7dcb3 -r 178cc01f8373 libexec/httpd/CHANGES
--- a/libexec/httpd/CHANGES     Sun Apr 04 13:37:17 2021 +0000
+++ b/libexec/httpd/CHANGES     Sun Apr 04 18:14:26 2021 +0000
@@ -1,4 +1,8 @@
-$NetBSD: CHANGES,v 1.47 2021/02/27 12:55:25 mrg Exp $
+$NetBSD: CHANGES,v 1.48 2021/04/04 18:14:26 mrg Exp $
+
+changes in bozohttpd 20210403:
+       o  fix a denial of service attack against initial request contents,
+           now bounded at 16KiB.  reported by Justin Parrott in PR#56085
 
 changes in bozohttpd 20210227:
        o  new support for content types: .tar.bz2, .tar.xz, .tar.lz,
diff -r 304186a7dcb3 -r 178cc01f8373 libexec/httpd/bozohttpd.c
--- a/libexec/httpd/bozohttpd.c Sun Apr 04 13:37:17 2021 +0000
+++ b/libexec/httpd/bozohttpd.c Sun Apr 04 18:14:26 2021 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: bozohttpd.c,v 1.128 2021/02/27 12:55:25 mrg Exp $      */
+/*     $NetBSD: bozohttpd.c,v 1.129 2021/04/04 18:14:26 mrg Exp $      */
 
 /*     $eterna: bozohttpd.c,v 1.178 2011/11/18 09:21:15 mrg Exp $      */
 
@@ -108,7 +108,7 @@
 #define INDEX_HTML             "index.html"
 #endif
 #ifndef SERVER_SOFTWARE
-#define SERVER_SOFTWARE                "bozohttpd/20210227"
+#define SERVER_SOFTWARE                "bozohttpd/20210403"
 #endif
 #ifndef PUBLIC_HTML
 #define PUBLIC_HTML            "public_html"
@@ -852,6 +852,10 @@
 next_header:
                alarm(httpd->header_timeout);
        }
+       if (str == NULL) {
+               bozo_http_error(httpd, 413, request, "request too large");
+               goto cleanup;
+       }
 
        /* now, clear it all out */
        alarm(0);
@@ -2124,7 +2128,7 @@
        if (httpd)
                tmp = bozomalloc(httpd, len);
        else if ((tmp = malloc(len)) == 0)
-                       return NULL;
+               return NULL;
 
        for (i = 0, j = 0; url[i]; i++) {
                switch (url[i]) {
@@ -2373,6 +2377,9 @@
  * inspired by fgetln(3), but works for fd's.  should work identically
  * except it, however, does *not* return the newline, and it does nul
  * terminate the string.
+ *
+ * returns NULL if the line grows too large.  empty lines will be
+ * returned with *lenp set to 0.
  */
 char *
 bozodgetln(bozohttpd_t *httpd, int fd, ssize_t *lenp,
@@ -2386,11 +2393,8 @@
        if (httpd->getln_buflen == 0) {
                /* should be plenty for most requests */
                httpd->getln_buflen = 128;
-               httpd->getln_buffer = malloc((size_t)httpd->getln_buflen);
-               if (httpd->getln_buffer == NULL) {
-                       httpd->getln_buflen = 0;
-                       return NULL;
-               }
+               httpd->getln_buffer =
+                   bozomalloc(httpd, (size_t)httpd->getln_buflen);
        }
        len = 0;
 
@@ -2406,6 +2410,9 @@
        for (; readfn(httpd, fd, &c, 1) == 1; ) {
                debug((httpd, DEBUG_EXPLODING, "bozodgetln read %c", c));
 
+               if (httpd->getln_buflen > BOZO_HEADERS_MAX_SIZE)
+                       return NULL;
+
                if (len >= httpd->getln_buflen - 1) {
                        httpd->getln_buflen *= 2;
                        debug((httpd, DEBUG_EXPLODING, "bozodgetln: "