[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Potential DOS vulnerability in jetty-7.6.3


This appears to be a problem added in 7.6.0 with the half close handling - once the buffer is full we can't complete the half close.

A fix has been committed to head and we are currently building 7.6.4

regards


On 22 May 2012 04:56, Benjamin Gordon <benjamin.gordon@xxxxxxxxxxx> wrote:
Hello-
Our security scanner exposed a DOS vulnerability in jetty-distribution-7.6.3.v20120416, where a netcat the following file to port 8080 causes the server to go into an infinite loop. (No servlets are deployed, fresh jetty install.)
The steps to reproduce are simply to run the following command with the attached file. This file contains the letter 'A' 6480 times. Piping this through netcat directly to port 8080 causes infinite recursion, with the following warning:
WARN:oejh.HttpParser:Full [835845122,-1,m=0,g=6144,p=6144,c=6144]

cat test.txt |nc 127.0.0.1 8080


After looking at the code, it appears as if there may be a bug in HttpParser.java when the _header buffer / view is full. 
An HttpException exception (413, full head) is thrown/caught, while _state == STATE_FIELD0, as the call to fill() throws. 
At this point the default block of the case statement in parseNext() sets state to STATE_END, and _handler.earlyEOF() which is a no-op is called. 
The exception is propagated to the caller and the infinite loop begins. HttpParser.fill() will constantly be called with the full buffer.

The finally block in AsyncHttpConnection.handle() gets called as expected, however, _parser.isComplete() will never be true as HttpParser's state is reset from STATE_END by the catch block to STATE_SEEKING_EOF. Also, progress does not get set to false as _request.getAsyncContinuation().isAsyncStarted() is in IDLE state. (This may be correct functionality, I am not sure.)
 
I can only guess that either the read buffer's mark is not getting correctly updated, or _handler.earlyEOF() should be updating state.
There are quite a few state machines, as expected with NIO, so I hope someone who is close to the code can come up with a patch quickly. 

I have spent about an hour looking at this, and would appreciate the help.

Thanks-
--ben 


_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev