Bug #1900: wrong format when long request size - Lighttpd - lighty labs

Bug #1900

wrong format when long request size

Added by stepancheg over 4 years ago. Updated over 4 years ago.

Status:

Fixed

Start date:

2009-02-15

Priority:

High

Due date:

Assignee:

% Done:

100%

Category:

core

Target version:

1.5.0

Missing in 1.5.x:

Description

===
diff r 48f3f2b6cb81 src/request.c
-- a/src/request.c Sun Feb 15 16:52:40 2009 0300
++ b/src/request.c Sun Feb 15 23:24:29 2009 +0300
@ -656,7 +656,7 @
con->http_status = 413;
con->keep_alive = 0;

- log_error_write(srv, FILE, LINE, "sds",
+ log_error_write(srv, FILE, LINE, "sos",
"request-size too long:", con->request.content_length, "-> 413");
return 0;
} ===

On 32-bit hosts, this causes "-> 413" is not printed if file size is below 2G, and causes bad things if above 2G. Probably, this is security vunerability.

Associated revisions

Revision 2394
Added by stbuehler over 4 years ago

Fix wrong format strings (#1900, thx stepancheg)

Revision 2395
Added by stbuehler over 4 years ago

Fix wrong format strings (fixes #1900, thx stepancheg)

History

#1 Updated by stepancheg over 4 years ago

diff -r 48f3f2b6cb81 src/request.c
--- a/src/request.c    Sun Feb 15 16:52:40 2009 +0300
+++ b/src/request.c    Sun Feb 15 23:24:29 2009 +0300
@@ -656,7 +656,7 @@
             con->http_status = 413;
             con->keep_alive = 0;

-            log_error_write(srv, __FILE__, __LINE__, "sds",
+            log_error_write(srv, __FILE__, __LINE__, "sos",
                     "request-size too long:", con->request.content_length, "-> 413");
             return 0;
         }

#2 Updated by stbuehler over 4 years ago

Yes, this looks like a bug. But I couldn't reproduce any segfault or wrong error message with 1.5 or 1.4 on 32-bit and 64-bit hosts.

Do you have a backtrace/real examples?

#3 Updated by stepancheg over 4 years ago

I haven't tried to reproduce SEGV, but I reproduced wrong message. Before patch it was:

2009-02-15 23:01:42: (request.c.659) request-size too long: 1467124824

after patch:

2009-02-15 23:56:25: (request.c.659) request-size too long: 1467124801 -> 413

What is sizeof(long) on your 32-bit host? It must be 32 to reproduce problem.

#4 Updated by stepancheg over 4 years ago

I was wrong about SEGV:

            if (r > SSIZE_MAX) {
                con->http_status = 413;

                ERROR("request-size too long: %s (Status: 413)", SAFE_BUF_STR(ds->value));

                return 0;
            }

checked before. Real problem only in diag message.

#5 Updated by stbuehler over 4 years ago

Subject changed from wrong format when long request size (SEGV) to wrong format when long request size

#6 Updated by stbuehler over 4 years ago

Status changed from New to Fixed
% Done changed from 0 to 100

Applied in changeset r2395.

Also available in: Atom

Lighttpd

Issues

Custom queries