BB#110 limit the number of headers per request to prevent DoS

Based on patch provided by gpernot@praksys.org on bugzilla. Signed-off-by: Michael Adam <obnox@samba.org> (cherry picked from commit 545463c75d)
2013-03-15 13:10:01 +01:00 · 2013-03-15 13:10:01 +01:00 · c348513095
commit c348513095
parent 8845bdbff7
1 changed files with 17 additions and 1 deletions
--- a/src/reqs.c
+++ b/src/reqs.c
@ -596,6 +596,13 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len)
        return hashmap_insert (hashofheaders, header, sep, len);
 }

+/*
+ * Define maximum number of headers that we accept.
+ * This should be big enough to handle legitimate cases,
+ * but limited to avoid DoS.
+ */
+#define MAX_HEADERS 10000
+
 /*
 * Read all the headers from the stream
 */
@ -603,6 +610,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
 {
        char *line = NULL;
        char *header = NULL;
+        int count;
        char *tmp;
        ssize_t linelen;
        ssize_t len = 0;
@ -611,7 +619,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
        assert (fd >= 0);
        assert (hashofheaders != NULL);

-        for (;;) {
+        for (count = 0; count < MAX_HEADERS; count++) {
                if ((linelen = readline (fd, &line)) <= 0) {
                        safefree (header);
                        safefree (line);
@ -677,6 +685,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)

                safefree (line);
        }
+
+        /*
+         * If we get here, this means we reached MAX_HEADERS count.
+         * Bail out with error.
+         */
+        safefree (header);
+        safefree (line);
+        return -1;
 }

 /*