Project

General

Profile

Bug #1900

wrong format when long request size

Added by stepancheg about 10 years ago. Updated about 10 years ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
core
Target version:
Start date:
2009-02-15
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

===
diff r 48f3f2b6cb81 src/request.c
--
a/src/request.c Sun Feb 15 16:52:40 2009 0300
+
+ b/src/request.c Sun Feb 15 23:24:29 2009 +0300
@ -656,7 +656,7 @
con->http_status = 413;
con->keep_alive = 0;

- log_error_write(srv, FILE, LINE, "sds",
+ log_error_write(srv, FILE, LINE, "sos",
"request-size too long:", con->request.content_length, "-> 413");
return 0;
} ===

On 32-bit hosts, this causes "-> 413" is not printed if file size is below 2G, and causes bad things if above 2G. Probably, this is security vunerability.

Associated revisions

Revision 2394 (diff)
Added by stbuehler about 10 years ago

Fix wrong format strings (#1900, thx stepancheg)

Revision e2fd8a89 (diff)
Added by stbuehler about 10 years ago

Fix wrong format strings (#1900, thx stepancheg)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2394 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 2395 (diff)
Added by stbuehler about 10 years ago

Fix wrong format strings (fixes #1900, thx stepancheg)

History

#1

Updated by stepancheg about 10 years ago

diff -r 48f3f2b6cb81 src/request.c
--- a/src/request.c    Sun Feb 15 16:52:40 2009 +0300
+++ b/src/request.c    Sun Feb 15 23:24:29 2009 +0300
@@ -656,7 +656,7 @@
             con->http_status = 413;
             con->keep_alive = 0;

-            log_error_write(srv, __FILE__, __LINE__, "sds",
+            log_error_write(srv, __FILE__, __LINE__, "sos",
                     "request-size too long:", con->request.content_length, "-> 413");
             return 0;
         }
#2

Updated by stbuehler about 10 years ago

Yes, this looks like a bug. But I couldn't reproduce any segfault or wrong error message with 1.5 or 1.4 on 32-bit and 64-bit hosts.

Do you have a backtrace/real examples?

#3

Updated by stepancheg about 10 years ago

I haven't tried to reproduce SEGV, but I reproduced wrong message. Before patch it was:

2009-02-15 23:01:42: (request.c.659) request-size too long: 1467124824

after patch:

2009-02-15 23:56:25: (request.c.659) request-size too long: 1467124801 -> 413

What is sizeof(long) on your 32-bit host? It must be 32 to reproduce problem.

#4

Updated by stepancheg about 10 years ago

I was wrong about SEGV:

            if (r > SSIZE_MAX) {
                con->http_status = 413;

                ERROR("request-size too long: %s (Status: 413)", SAFE_BUF_STR(ds->value));

                return 0;
            }

checked before. Real problem only in diag message.

#5

Updated by stbuehler about 10 years ago

  • Subject changed from wrong format when long request size (SEGV) to wrong format when long request size
#6

Updated by stbuehler about 10 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2395.

Also available in: Atom