From: Matthew Jordan Date: Wed, 27 Mar 2013 18:31:04 +0000 (+0000) Subject: AST-2013-002: Prevent denial of service in HTTP server X-Git-Tag: certified/1.8.15-cert2~3^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=212b9c23f9bacfb0afaf5027c44c27fe650b57d8;p=thirdparty%2Fasterisk.git AST-2013-002: Prevent denial of service in HTTP server AST-2012-014, fixed in January of this year, contained a fix for Asterisk's HTTP server for a remotely-triggered crash. While the fix put in place fixed the possibility for the crash to be triggered, a denial of service vector still exists with that solution if an attacker sends one or more HTTP POST requests with very large Content-Length values. This patch resolves this by capping the Content-Length at 1024 bytes. Any attempt to send an HTTP POST with Content-Length greater than this cap will not result in any memory allocation. The POST will be responded to with an HTTP 413 "Request Entity Too Large" response. This issue was reported by Christoph Hebeisen of TELUS Security Labs (closes issue ASTERISK-20967) Reported by: Christoph Hebeisen patches: AST-2013-002-1.8.diff uploaded by mmichelson (License 5049) AST-2013-002-10.diff uploaded by mmichelson (License 5049) AST-2013-002-11.diff uploaded by mmichelson (License 5049) git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/1.8.15@384108 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/main/http.c b/main/http.c index 2ed8050c19..ff387f86df 100644 --- a/main/http.c +++ b/main/http.c @@ -612,6 +612,8 @@ static void http_decode(char *s) ast_uri_decode(s); } +#define MAX_POST_CONTENT 1025 + /* * get post variables from client Request Entity-Body, if content type is * application/x-www-form-urlencoded @@ -644,6 +646,13 @@ struct ast_variable *ast_http_get_post_vars( return NULL; } + if (content_length > MAX_POST_CONTENT - 1) { + ast_log(LOG_WARNING, "Excessively long HTTP content. %d is greater than our max of %d\n", + content_length, MAX_POST_CONTENT); + ast_http_send(ser, AST_HTTP_POST, 413, "Request Entity Too Large", NULL, NULL, 0, 0); + return NULL; + } + buf = ast_malloc(content_length + 1); if (!buf) { return NULL;