From 545463c75d7f6ce5830f1ea98b030c935df729bf Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 15 Mar 2013 13:10:01 +0100 Subject: BB#110 limit the number of headers per request to prevent DoS Based on patch provided by gpernot@praksys.org on bugzilla. Signed-off-by: Michael Adam --- src/reqs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/reqs.c b/src/reqs.c index 6a4b365..10ada84 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -596,6 +596,13 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len) return hashmap_insert (hashofheaders, header, sep, len); } +/* + * Define maximum number of headers that we accept. + * This should be big enough to handle legitimate cases, + * but limited to avoid DoS. + */ +#define MAX_HEADERS 10000 + /* * Read all the headers from the stream */ @@ -603,6 +610,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders) { char *line = NULL; char *header = NULL; + int count; char *tmp; ssize_t linelen; ssize_t len = 0; @@ -611,7 +619,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders) assert (fd >= 0); assert (hashofheaders != NULL); - for (;;) { + for (count = 0; count < MAX_HEADERS; count++) { if ((linelen = readline (fd, &line)) <= 0) { safefree (header); safefree (line); @@ -677,6 +685,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders) safefree (line); } + + /* + * If we get here, this means we reached MAX_HEADERS count. + * Bail out with error. + */ + safefree (header); + safefree (line); + return -1; } /* -- cgit v1.2.3