Modify

Opened 2 years ago

Closed 2 years ago

#21325 closed defect (wontfix)

DoS in uhttpd

Reported by: rafael.scheel@… Owned by: developers
Priority: normal Milestone:
Component: packages Version: Trunk
Keywords: DoS Cc:

Description

Hello,

There is a small security relevant problem in uhttpd. If a HTTP-Request ist sent, without HTTP/x.x, the server crashs with a sigsegv in my test enviroment.
Just send the following to the Server (no space after the /):

GET /
Host: localhost

GDB-Output:

(gdb) run -f -h /var/www/html -r DoS -x /cgi-bin -p 80
Starting program: /media/sf_00_arbeit/99_temp/compile/src/uhttpd -f -h /var/www/html -r DoS -x /cgi-bin -p 80

Program received signal SIGSEGV, Segmentation fault.
__strcmp_sse4_2 () at ../sysdeps/i386/i686/multiarch/strcmp-sse4.S:229
229	../sysdeps/i386/i686/multiarch/strcmp-sse4.S: No such file or directory.
(gdb) info stack
#0  __strcmp_sse4_2 () at ../sysdeps/i386/i686/multiarch/strcmp-sse4.S:229
#1  0x08049efc in uh_http_header_parse (cl=0x805af80 <uh_clients>, buffer=0x8051700 <buffer> "GET", 
    buflen=26) at uhttpd.c:252
#2  0x0804a277 in uh_http_header_recv (cl=0x805af80 <uh_clients>) at uhttpd.c:352
#3  0x0804ac54 in main (argc=10, argv=0xbffff4f4) at uhttpd.c:863
(gdb) 

The problem is preatty simple:
In uhttpd.c -> uh_http_header_parse(...) line 209:

		/* find http version */
		if( (path != NULL) && ((version = strchr(path, ' ')) != NULL) )
			*version++ = 0;

So version is set to NULL but *version++ = 0; not executed.

After that version is passed to strcmp which therfore fails (Line 252):

/* check version */
		if( strcmp(version, "HTTP/0.9") && strcmp(version, "HTTP/1.0") && strcmp(version, "HTTP/1.1") )
		{
			/* unsupported version */
			uh_http_response(cl, 400, "Bad Request");
			return NULL;
		}

Cheers,
Rafael

Attachments (0)

Change History (1)

comment:1 Changed 2 years ago by jow

  • Resolution set to wontfix
  • Status changed from new to closed

All recent OpenWrt versions use uhttpd2 which does not crash with the testcase above.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.