Project

General

Profile

Actions

Security #6444

closed

http1: quadratic complexity from infinite folded headers

Added by Philippe Antoine about 1 year ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

20ac301d801cdf01b3f021cca08a22a87f477c4a

Severity:
CRITICAL
Disclosure Date:
01/24/2024

Description

Found by oss-fuzz with quadfuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63600&q=label%3AProj-suricata

POC to reproduce is

GET / HTTP/1.1
Host: localhost
Header: a
 b
 b
 b
 b

never stopping


Files

lol.pcap (1.11 MB) lol.pcap reproducer Philippe Antoine, 11/08/2023 08:55 AM

Subtasks 2 (0 open2 closed)

Security #6528: http1: quadratic complexity from infinite folded headers (6.0.x backport)ClosedPhilippe AntoineActions
Security #6533: http1: quadratic complexity from infinite folded headers (7.0.x backport)ClosedPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine about 1 year ago

  • Status changed from New to In Review

Gitlab

Actions #2

Updated by Philippe Antoine about 1 year ago

Actions #3

Updated by Victor Julien about 1 year ago

Affects 6.0.x as well, right?

Actions #4

Updated by Philippe Antoine about 1 year ago

indeed, but the proposed fix is just in libhtp

Actions #5

Updated by Victor Julien about 1 year ago

  • Label Needs backport to 6.0, Needs backport to 7.0 added
Actions #6

Updated by Victor Julien about 1 year ago

  • Target version changed from 7.0.3 to 8.0.0-beta1
Actions #7

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6528 added
Actions #8

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 6.0)
Actions #9

Updated by OISF Ticketbot about 1 year ago

  • Subtask #6533 added
Actions #10

Updated by OISF Ticketbot about 1 year ago

  • Label deleted (Needs backport to 7.0)
Actions #11

Updated by Philippe Antoine 12 months ago

  • Disclosure Date set to 01/24/2024
Actions #12

Updated by Victor Julien 12 months ago

  • Severity changed from MODERATE to CRITICAL

Client only, easy to create attack traffic. So CRITICAL.

Actions #13

Updated by Victor Julien 11 months ago

  • Status changed from In Review to Resolved
Actions #14

Updated by Victor Julien 11 months ago

  • CVE set to 2024-23837

Issue is in libhtp and is fixed in libhtp 0.5.46.

Actions #15

Updated by Philippe Antoine 10 months ago

  • Status changed from Resolved to Closed
  • Git IDs updated (diff)
Actions #16

Updated by Victor Julien 10 months ago

  • Private changed from Yes to No
Actions #18

Updated by Philippe Antoine 9 months ago

This did not affect libhtp-rs as it parses headers differently, avoiding the need to realloc for folded headers

Actions

Also available in: Atom PDF