Lighttpd

security: use-after-free after invalid Range request

credit: Marcus Wengelin

I found a use-after-free bug that is triggered when lighttpd parses the range-header in a client request.

This is a minimal example that triggers the bug:

GET /index.html HTTP/1.0
Range:0
Range:bytes=-

When parsing the first range-header, the following check in request.c fails:
0 == strncasecmp(ds->value->ptr, "bytes=", 6)

This means that con->request.http_range is not set. Later in the code, at this line;
if (ds) array_insert_unique(con->request.headers, (data_unset *)ds)
The range header is inserted into the list of headers.

When the valid range-header is parsed, it passes the check and con->request.http_range is set to point to it.
However, when the following line is reached again:
if (ds) array_insert_unique(con->request.headers, (data_unset *)ds)
The valid range-header is freed and appended to the invalid range-header.

con->request.http_range now points to a free'd buffer. It is then used in http-header-glue.c, which is now an invalid read.

A fix has been committed in d161f53d