Re: [jetty-dev] Potential DOS vulnerability in jetty-7.6.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-dev] Potential DOS vulnerability in jetty-7.6.3

From: Greg Wilkins <gregw@xxxxxxxxxxx>
Date: Tue, 22 May 2012 21:36:26 +0200
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

This appears to be a problem added in 7.6.0 with the half close handling - once the buffer is full we can't complete the half close.

A fix has been committed to head and we are currently building 7.6.4

regards

On 22 May 2012 04:56, Benjamin Gordon <benjamin.gordon@xxxxxxxxxxx> wrote:

Hello-
Our security scanner exposed a DOS vulnerability in jetty-distribution-7.6.3.v20120416, where a netcat the following file to port 8080 causes the server to go into an infinite loop. (No servlets are deployed, fresh jetty install.)

The steps to reproduce are simply to run the following command with the attached file. This file contains the letter 'A' 6480 times. Piping this through netcat directly to port 8080 causes infinite recursion, with the following warning:

WARN:oejh.HttpParser:Full [835845122,-1,m=0,g=6144,p=6144,c=6144]

cat test.txt |nc 127.0.0.1 8080

After looking at the code, it appears as if there may be a bug in HttpParser.java when the _header buffer / view is full.

An HttpException exception (413, full head) is thrown/caught, while _state == STATE_FIELD0, as the call to fill() throws.

At this point the default block of the case statement in parseNext() sets state to STATE_END, and _handler.earlyEOF() which is a no-op is called.

The exception is propagated to the caller and the infinite loop begins. HttpParser.fill() will constantly be called with the full buffer.

The finally block in AsyncHttpConnection.handle() gets called as expected, however, _parser.isComplete() will never be true as HttpParser's state is reset from STATE_END by the catch block to STATE_SEEKING_EOF. Also, progress does not get set to false as _request.getAsyncContinuation().isAsyncStarted() is in IDLE state. (This may be correct functionality, I am not sure.)

I can only guess that either the read buffer's mark is not getting correctly updated, or _handler.earlyEOF() should be updating state.

There are quite a few state machines, as expected with NIO, so I hope someone who is close to the code can come up with a patch quickly.

I have spent about an hour looking at this, and would appreciate the help.

Thanks-

--ben

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev

References:
- [jetty-dev] Potential DOS vulnerability in jetty-7.6.3
  - From: Benjamin Gordon

Prev by Date: Re: [jetty-dev] Issues getting iJetty up and running with dependencies
Next by Date: [jetty-dev] hanging JGit HTTP tests using Jetty 8.1.3.v20120416
Previous by thread: [jetty-dev] Potential DOS vulnerability in jetty-7.6.3
Next by thread: [jetty-dev] Issues getting iJetty up and running with dependencies
Index(es):
- Date
- Thread

Breadcrumbs