|Re: [jetty-dev] Potential DOS vulnerability in jetty-7.6.3|
Hello-Our security scanner exposed a DOS vulnerability in jetty-distribution-7.6.3.v20120416, where a netcat the following file to port 8080 causes the server to go into an infinite loop. (No servlets are deployed, fresh jetty install.)The steps to reproduce are simply to run the following command with the attached file. This file contains the letter 'A' 6480 times. Piping this through netcat directly to port 8080 causes infinite recursion, with the following warning:WARN:oejh.HttpParser:Full [835845122,-1,m=0,g=6144,p=6144,c=6144]
cat test.txt |nc 127.0.0.1 8080
After looking at the code, it appears as if there may be a bug in HttpParser.java when the _header buffer / view is full.An HttpException exception (413, full head) is thrown/caught, while _state == STATE_FIELD0, as the call to fill() throws.At this point the default block of the case statement in parseNext() sets state to STATE_END, and _handler.earlyEOF() which is a no-op is called.The exception is propagated to the caller and the infinite loop begins. HttpParser.fill() will constantly be called with the full buffer.
The finally block in AsyncHttpConnection.handle() gets called as expected, however, _parser.isComplete() will never be true as HttpParser's state is reset from STATE_END by the catch block to STATE_SEEKING_EOF. Also, progress does not get set to false as _request.getAsyncContinuation().isAsyncStarted() is in IDLE state. (This may be correct functionality, I am not sure.)I can only guess that either the read buffer's mark is not getting correctly updated, or _handler.earlyEOF() should be updating state.There are quite a few state machines, as expected with NIO, so I hope someone who is close to the code can come up with a patch quickly.
I have spent about an hour looking at this, and would appreciate the help.
jetty-dev mailing list
Back to the top