From 545463c75d7f6ce5830f1ea98b030c935df729bf Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 15 Mar 2013 13:10:01 +0100
Subject: BB#110 limit the number of headers per request to prevent DoS

Based on patch provided by gpernot@praksys.org on bugzilla.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 src/reqs.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'src/reqs.c')

diff --git a/src/reqs.c b/src/reqs.c
index 6a4b365..10ada84 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -596,6 +596,13 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len)
         return hashmap_insert (hashofheaders, header, sep, len);
 }
 
+/*
+ * Define maximum number of headers that we accept.
+ * This should be big enough to handle legitimate cases,
+ * but limited to avoid DoS.
+ */
+#define MAX_HEADERS 10000
+
 /*
  * Read all the headers from the stream
  */
@@ -603,6 +610,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
 {
         char *line = NULL;
         char *header = NULL;
+        int count;
         char *tmp;
         ssize_t linelen;
         ssize_t len = 0;
@@ -611,7 +619,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
         assert (fd >= 0);
         assert (hashofheaders != NULL);
 
-        for (;;) {
+        for (count = 0; count < MAX_HEADERS; count++) {
                 if ((linelen = readline (fd, &line)) <= 0) {
                         safefree (header);
                         safefree (line);
@@ -677,6 +685,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
 
                 safefree (line);
         }
+
+        /*
+         * If we get here, this means we reached MAX_HEADERS count.
+         * Bail out with error.
+         */
+        safefree (header);
+        safefree (line);
+        return -1;
 }
 
 /*
-- 
cgit v1.2.3