1 |
jer 13/08/31 16:44:15 |
2 |
|
3 |
Added: tinyproxy-1.8.3-DoS-Prevention.patch |
4 |
Removed: tinyproxy-1.8.3-r2-DoS-Prevention.patch |
5 |
Log: |
6 |
Fix patch name (Gentoo revisions do not make sense). |
7 |
|
8 |
(Portage version: 2.2.1/cvs/Linux x86_64, signed Manifest commit with key A792A613) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: tinyproxy-1.8.3-DoS-Prevention.patch |
17 |
=================================================================== |
18 |
https://banu.com/bugzilla/show_bug.cgi?id=110#c4 |
19 |
|
20 |
From 526215dbb4abb1cff9a170343fa50dbda9492eb1 Mon Sep 17 00:00:00 2001 |
21 |
From: Michael Adam <obnox@×××××.org> |
22 |
Date: Fri, 15 Mar 2013 12:34:01 +0100 |
23 |
Subject: [PATCH 1/2] [BB#110] secure the hashmaps by adding a seed |
24 |
|
25 |
Based on patch provided by gpernot@×××××××.org on bugzilla. |
26 |
|
27 |
Signed-off-by: Michael Adam <obnox@×××××.org> |
28 |
--- |
29 |
configure.ac | 2 ++ |
30 |
src/child.c | 1 + |
31 |
src/hashmap.c | 14 ++++++++------ |
32 |
3 files changed, 11 insertions(+), 6 deletions(-) |
33 |
|
34 |
diff --git a/configure.ac b/configure.ac |
35 |
index ecbcba0..cc40e85 100644 |
36 |
--- a/configure.ac |
37 |
+++ b/configure.ac |
38 |
@@ -205,6 +205,8 @@ AC_CHECK_FUNCS([gethostname inet_ntoa memchr memset select socket strcasecmp \ |
39 |
AC_CHECK_FUNCS([isascii memcpy setrlimit ftruncate regcomp regexec]) |
40 |
AC_CHECK_FUNCS([strlcpy strlcat]) |
41 |
|
42 |
+AC_CHECK_FUNCS([time rand srand]) |
43 |
+ |
44 |
|
45 |
dnl Enable extra warnings |
46 |
DESIRED_FLAGS="-fdiagnostics-show-option -Wall -Wextra -Wno-unused-parameter -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wfloat-equal -Wundef -Wformat=2 -Wlogical-op -Wmissing-include-dirs -Wformat-nonliteral -Wold-style-definition -Wpointer-arith -Waggregate-return -Winit-self -Wpacked --std=c89 -ansi -pedantic -Wno-overlength-strings -Wc++-compat -Wno-long-long -Wno-overlength-strings -Wdeclaration-after-statement -Wredundant-decls -Wmissing-noreturn -Wshadow -Wendif-labels -Wcast-qual -Wcast-align -Wwrite-strings -Wp,-D_FORTIFY_SOURCE=2 -fno-common" |
47 |
diff --git a/src/child.c b/src/child.c |
48 |
index 34e20e0..0d778d9 100644 |
49 |
--- a/src/child.c |
50 |
+++ b/src/child.c |
51 |
@@ -196,6 +196,7 @@ static void child_main (struct child_s *ptr) |
52 |
} |
53 |
|
54 |
ptr->connects = 0; |
55 |
+ srand(time(NULL)); |
56 |
|
57 |
while (!config.quit) { |
58 |
ptr->status = T_WAITING; |
59 |
diff --git a/src/hashmap.c b/src/hashmap.c |
60 |
index f46fdcb..8cf7c6b 100644 |
61 |
--- a/src/hashmap.c |
62 |
+++ b/src/hashmap.c |
63 |
@@ -50,6 +50,7 @@ struct hashbucket_s { |
64 |
}; |
65 |
|
66 |
struct hashmap_s { |
67 |
+ uint32_t seed; |
68 |
unsigned int size; |
69 |
hashmap_iter end_iterator; |
70 |
|
71 |
@@ -65,7 +66,7 @@ struct hashmap_s { |
72 |
* |
73 |
* If any of the arguments are invalid a negative number is returned. |
74 |
*/ |
75 |
-static int hashfunc (const char *key, unsigned int size) |
76 |
+static int hashfunc (const char *key, unsigned int size, uint32_t seed) |
77 |
{ |
78 |
uint32_t hash; |
79 |
|
80 |
@@ -74,7 +75,7 @@ static int hashfunc (const char *key, unsigned int size) |
81 |
if (size == 0) |
82 |
return -ERANGE; |
83 |
|
84 |
- for (hash = tolower (*key++); *key != '\0'; key++) { |
85 |
+ for (hash = seed; *key != '\0'; key++) { |
86 |
uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0; |
87 |
|
88 |
hash >>= 1; |
89 |
@@ -104,6 +105,7 @@ hashmap_t hashmap_create (unsigned int nbuckets) |
90 |
if (!ptr) |
91 |
return NULL; |
92 |
|
93 |
+ ptr->seed = (uint32_t)rand(); |
94 |
ptr->size = nbuckets; |
95 |
ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets, |
96 |
sizeof (struct |
97 |
@@ -201,7 +203,7 @@ hashmap_insert (hashmap_t map, const char *key, const void *data, size_t len) |
98 |
if (!data || len < 1) |
99 |
return -ERANGE; |
100 |
|
101 |
- hash = hashfunc (key, map->size); |
102 |
+ hash = hashfunc (key, map->size, map->seed); |
103 |
if (hash < 0) |
104 |
return hash; |
105 |
|
106 |
@@ -382,7 +384,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key) |
107 |
if (map == NULL || key == NULL) |
108 |
return -EINVAL; |
109 |
|
110 |
- hash = hashfunc (key, map->size); |
111 |
+ hash = hashfunc (key, map->size, map->seed); |
112 |
if (hash < 0) |
113 |
return hash; |
114 |
|
115 |
@@ -416,7 +418,7 @@ ssize_t hashmap_entry_by_key (hashmap_t map, const char *key, void **data) |
116 |
if (!map || !key || !data) |
117 |
return -EINVAL; |
118 |
|
119 |
- hash = hashfunc (key, map->size); |
120 |
+ hash = hashfunc (key, map->size, map->seed); |
121 |
if (hash < 0) |
122 |
return hash; |
123 |
|
124 |
@@ -451,7 +453,7 @@ ssize_t hashmap_remove (hashmap_t map, const char *key) |
125 |
if (map == NULL || key == NULL) |
126 |
return -EINVAL; |
127 |
|
128 |
- hash = hashfunc (key, map->size); |
129 |
+ hash = hashfunc (key, map->size, map->seed); |
130 |
if (hash < 0) |
131 |
return hash; |
132 |
|
133 |
-- |
134 |
1.7.9.5 |
135 |
|
136 |
https://banu.com/bugzilla/show_bug.cgi?id=110#c5 |
137 |
|
138 |
From f1189daec6866efeb44f24073cd19d7ece86e537 Mon Sep 17 00:00:00 2001 |
139 |
From: Michael Adam <obnox@×××××.org> |
140 |
Date: Fri, 15 Mar 2013 13:10:01 +0100 |
141 |
Subject: [PATCH 2/2] [BB#110] limit the number of headers per request to |
142 |
prevent DoS |
143 |
|
144 |
Based on patch provided by gpernot@×××××××.org on bugzilla. |
145 |
|
146 |
Signed-off-by: Michael Adam <obnox@×××××.org> |
147 |
--- |
148 |
src/reqs.c | 17 ++++++++++++++++- |
149 |
1 file changed, 16 insertions(+), 1 deletion(-) |
150 |
|
151 |
diff --git a/src/reqs.c b/src/reqs.c |
152 |
index 2de43a8..af014ba 100644 |
153 |
--- a/src/reqs.c |
154 |
+++ b/src/reqs.c |
155 |
@@ -611,12 +611,19 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len) |
156 |
} |
157 |
|
158 |
/* |
159 |
+ * define max number of headers. |
160 |
+ * big enough to handle legitimate cases, but limited to avoid DoS |
161 |
+ */ |
162 |
+#define MAX_HEADERS 10000 |
163 |
+ |
164 |
+/* |
165 |
* Read all the headers from the stream |
166 |
*/ |
167 |
static int get_all_headers (int fd, hashmap_t hashofheaders) |
168 |
{ |
169 |
char *line = NULL; |
170 |
char *header = NULL; |
171 |
+ int count; |
172 |
char *tmp; |
173 |
ssize_t linelen; |
174 |
ssize_t len = 0; |
175 |
@@ -625,7 +632,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders) |
176 |
assert (fd >= 0); |
177 |
assert (hashofheaders != NULL); |
178 |
|
179 |
- for (;;) { |
180 |
+ for (count = 0; count < MAX_HEADERS; count++) { |
181 |
if ((linelen = readline (fd, &line)) <= 0) { |
182 |
safefree (header); |
183 |
safefree (line); |
184 |
@@ -691,6 +698,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders) |
185 |
|
186 |
safefree (line); |
187 |
} |
188 |
+ |
189 |
+ /* |
190 |
+ * if we get there, this is we reached MAX_HEADERS count |
191 |
+ * bail out with error |
192 |
+ */ |
193 |
+ safefree (header); |
194 |
+ safefree (line); |
195 |
+ return -1; |
196 |
} |
197 |
|
198 |
/* |
199 |
-- |
200 |
1.7.9.5 |