Project

General

Profile

Actions

Bug #3776

closed

Timeout in libhtp due to multiple responses with double lzma encoding

Added by Philippe Antoine over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23285

24k responses for 465 kilobytes, making sure each response is under the thresholds for compression bombs


Related issues 1 (0 open1 closed)

Related to Suricata - Task #3824: libhtp 0.5.34ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine over 4 years ago

  • Private changed from No to Yes
Actions #2

Updated by Philippe Antoine over 4 years ago

  • Status changed from New to In Review

Gitlab PR

Actions #3

Updated by Philippe Antoine over 4 years ago

Actions #4

Updated by Philippe Antoine over 4 years ago

  • Target version set to 6.0.0rc1
Actions #5

Updated by Philippe Antoine over 4 years ago

  • Private changed from Yes to No

This issue involves an evil client and an evil server which repeat the same pattern, expensive in terms of CPU
The evil server sends a HTTP response with two layers of lzma compression

Workaround is to set lzma-enabled: false in suricata.yaml (lzma-enabled is commented by default)
Another workaround is to set response-body-decompress-layer-limit: 1 in suricata.yaml (default value is 2)

Actions

Also available in: Atom PDF