Project

General

Profile

Actions

Security #6444

closed

http1: quadratic complexity from infinite folded headers

Added by Philippe Antoine about 1 year ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

20ac301d801cdf01b3f021cca08a22a87f477c4a

Severity:
CRITICAL
Disclosure Date:
01/24/2024

Description

Found by oss-fuzz with quadfuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63600&q=label%3AProj-suricata

POC to reproduce is

GET / HTTP/1.1
Host: localhost
Header: a
 b
 b
 b
 b

never stopping


Files

lol.pcap (1.11 MB) lol.pcap reproducer Philippe Antoine, 11/08/2023 08:55 AM

Subtasks 2 (0 open2 closed)

Security #6528: http1: quadratic complexity from infinite folded headers (6.0.x backport)ClosedPhilippe AntoineActions
Security #6533: http1: quadratic complexity from infinite folded headers (7.0.x backport)ClosedPhilippe AntoineActions
Actions

Also available in: Atom PDF