Browse Source

[core] limit con->uri.authority < 1024 octets

(expect < 256 octets for DNS name)

Since limit is imposed, can use buffer_clear() instead of buffer_reset()
for con->uri.authority and con->server_name.  (Also, con->uri.scheme is
limited to "http" and "https", so use buffer_clear() for it, too)
personal/stbuehler/fix-fdevent
Glenn Strauss 3 years ago
parent
commit
cef6ee675d
  1. 13
      src/connections.c
  2. 11
      src/mod_openssl.c
  3. 20
      src/request.c

13
src/connections.c

@ -64,7 +64,7 @@ static int connection_del(server *srv, connection *con) {
if (-1 == con->ndx) return -1;
buffer_reset(con->uri.authority);
buffer_clear(con->uri.authority);
buffer_reset(con->uri.path);
buffer_reset(con->uri.query);
buffer_reset(con->request.orig_uri);
@ -619,18 +619,19 @@ int connection_reset(server *srv, connection *con) {
/* CLEAN(request.orig_uri); */
CLEAN(uri.scheme);
/* CLEAN(uri.authority); */
/* CLEAN(uri.path); */
CLEAN(uri.path_raw);
/* CLEAN(uri.query); */
CLEAN(parse_request);
CLEAN(server_name);
/*CLEAN(proto);*//* set to default in connection_accepted() */
#undef CLEAN
buffer_clear(con->uri.scheme);
/*buffer_clear(con->proto);*//* set to default in connection_accepted() */
/*buffer_clear(con->uri.authority);*/
buffer_clear(con->server_name);
con->request.http_host = NULL;
con->request.content_length = 0;
con->request.te_chunked = 0;
@ -1126,7 +1127,7 @@ int connection_state_machine(server *srv, connection *con) {
break;
case CON_STATE_REQUEST_END: /* transient */
buffer_reset(con->uri.authority);
buffer_clear(con->uri.authority);
buffer_reset(con->uri.path);
buffer_reset(con->uri.query);
buffer_reset(con->request.orig_uri);

11
src/mod_openssl.c

@ -327,6 +327,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
const char *servername;
handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
connection *con = hctx->con;
size_t len;
UNUSED(al);
buffer_copy_string(con->uri.scheme, "https");
@ -340,8 +341,14 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
#endif
return SSL_TLSEXT_ERR_NOACK;
}
len = strlen(servername);
if (len >= 1024) { /*(expecting < 256)*/
log_error_write(srv, __FILE__, __LINE__, "sss", "SSL:",
"SNI name too long", servername);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
/* use SNI to patch mod_openssl config and then reset COMP_HTTP_HOST */
buffer_copy_string(con->uri.authority, servername);
buffer_copy_string_len(con->uri.authority, servername, len);
buffer_to_lower(con->uri.authority);
con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
@ -350,7 +357,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
/* reset COMP_HTTP_HOST so that conditions re-run after request hdrs read */
/*(done in response.c:config_cond_cache_reset() after request hdrs read)*/
/*config_cond_cache_reset_item(con, COMP_HTTP_HOST);*/
/*buffer_reset(con->uri.authority);*/
/*buffer_clear(con->uri.authority);*/
if (NULL == hctx->conf.ssl_pemfile_x509
|| NULL == hctx->conf.ssl_pemfile_pkey) {

20
src/request.c

@ -348,10 +348,6 @@ int http_request_host_policy (connection *con, buffer *b, const buffer *scheme)
&& 0 != http_request_host_normalize(b, scheme_port(scheme))));
}
#if 0
#define DUMP_HEADER
#endif
static int http_request_split_value(array *vals, const char *current, size_t len) {
int state = 0;
const char *token_start = NULL, *token_end = NULL;
@ -468,6 +464,14 @@ static int parse_single_header(server *srv, connection *con, parse_header_state
case HTTP_HEADER_HOST:
if (!(con->request.htags & HTTP_HEADER_HOST)) {
saveb = &con->request.http_host;
if (vlen >= 1024) { /*(expecting < 256)*/
if (srv->srvconf.log_request_header_on_error) {
log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
log_error_write(srv, __FILE__, __LINE__, "Sb",
"request-header:\n", con->request.request);
}
return 0; /* invalid header */
}
}
else if (state->reqline_host) {
/* ignore all Host: headers as we got Host in request line */
@ -867,6 +871,14 @@ static size_t http_request_parse_reqline(server *srv, connection *con, parse_hea
if (state->reqline_host) {
/* Insert as host header */
if (state->reqline_hostlen >= 1024) { /*(expecting < 256)*/
if (srv->srvconf.log_request_header_on_error) {
log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
log_error_write(srv, __FILE__, __LINE__, "Sb",
"request-header:\n", con->request.request);
}
return 0;
}
http_header_request_set(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"), state->reqline_host, state->reqline_hostlen);
con->request.http_host = http_header_request_get(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"));
}

Loading…
Cancel
Save