'[gentoo-commits] gentoo-x86 commit in net-proxy/tinyproxy/files: tinyproxy-1.8.3-DoS-Prevention.patc'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-commits
Subject:    [gentoo-commits] gentoo-x86 commit in net-proxy/tinyproxy/files: tinyproxy-1.8.3-DoS-Prevention.patc
From:       "Jeroen Roovers (jer)" <jer () gentoo ! org>
Date:       2013-08-31 16:44:15
Message-ID: 20130831164415.5033F2004C () flycatcher ! gentoo ! org
[Download RAW message or body]

jer         13/08/31 16:44:15

  Added:                tinyproxy-1.8.3-DoS-Prevention.patch
  Removed:              tinyproxy-1.8.3-r2-DoS-Prevention.patch
  Log:
  Fix patch name (Gentoo revisions do not make sense).
  
  (Portage version: 2.2.1/cvs/Linux x86_64, signed Manifest commit with key A792A613)

Revision  Changes    Path
1.1                  net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch?rev=1.1&view=markup
                
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-proxy/tinyproxy/files/tinyproxy-1.8.3-DoS-Prevention.patch?rev=1.1&content-type=text/plain


Index: tinyproxy-1.8.3-DoS-Prevention.patch
===================================================================
https://banu.com/bugzilla/show_bug.cgi?id=110#c4

> From 526215dbb4abb1cff9a170343fa50dbda9492eb1 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 15 Mar 2013 12:34:01 +0100
Subject: [PATCH 1/2] [BB#110] secure the hashmaps by adding a seed

Based on patch provided by gpernot@praksys.org on bugzilla.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 configure.ac  |    2 ++
 src/child.c   |    1 +
 src/hashmap.c |   14 ++++++++------
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index ecbcba0..cc40e85 100644
--- a/configure.ac
+++ b/configure.ac
@@ -205,6 +205,8 @@ AC_CHECK_FUNCS([gethostname inet_ntoa memchr memset select socket \
strcasecmp \  AC_CHECK_FUNCS([isascii memcpy setrlimit ftruncate regcomp regexec])
 AC_CHECK_FUNCS([strlcpy strlcat])
 
+AC_CHECK_FUNCS([time rand srand])
+
 
 dnl Enable extra warnings
 DESIRED_FLAGS="-fdiagnostics-show-option -Wall -Wextra -Wno-unused-parameter \
-Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wfloat-equal -Wundef \
-Wformat=2 -Wlogical-op -Wmissing-include-dirs -Wformat-nonliteral \
-Wold-style-definition -Wpointer-arith -Waggregate-return -Winit-self -Wpacked \
--std=c89 -ansi -pedantic -Wno-overlength-strings -Wc++-compat -Wno-long-long \
-Wno-overlength-strings -Wdeclaration-after-statement -Wredundant-decls \
-Wmissing-noreturn -Wshadow -Wendif-labels -Wcast-qual -Wcast-align -Wwrite-strings \
                -Wp,-D_FORTIFY_SOURCE=2 -fno-common"
diff --git a/src/child.c b/src/child.c
index 34e20e0..0d778d9 100644
--- a/src/child.c
+++ b/src/child.c
@@ -196,6 +196,7 @@ static void child_main (struct child_s *ptr)
         }
 
         ptr->connects = 0;
+        srand(time(NULL));
 
         while (!config.quit) {
                 ptr->status = T_WAITING;
diff --git a/src/hashmap.c b/src/hashmap.c
index f46fdcb..8cf7c6b 100644
--- a/src/hashmap.c
+++ b/src/hashmap.c
@@ -50,6 +50,7 @@ struct hashbucket_s {
 };
 
 struct hashmap_s {
+        uint32_t seed;
         unsigned int size;
         hashmap_iter end_iterator;
 
@@ -65,7 +66,7 @@ struct hashmap_s {
  *
  * If any of the arguments are invalid a negative number is returned.
  */
-static int hashfunc (const char *key, unsigned int size)
+static int hashfunc (const char *key, unsigned int size, uint32_t seed)
 {
         uint32_t hash;
 
@@ -74,7 +75,7 @@ static int hashfunc (const char *key, unsigned int size)
         if (size == 0)
                 return -ERANGE;
 
-        for (hash = tolower (*key++); *key != '\0'; key++) {
+        for (hash = seed; *key != '\0'; key++) {
                 uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
 
                 hash >>= 1;
@@ -104,6 +105,7 @@ hashmap_t hashmap_create (unsigned int nbuckets)
         if (!ptr)
                 return NULL;
 
+        ptr->seed = (uint32_t)rand();
         ptr->size = nbuckets;
         ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
                                                            sizeof (struct
@@ -201,7 +203,7 @@ hashmap_insert (hashmap_t map, const char *key, const void *data, \
size_t len)  if (!data || len < 1)
                 return -ERANGE;
 
-        hash = hashfunc (key, map->size);
+        hash = hashfunc (key, map->size, map->seed);
         if (hash < 0)
                 return hash;
 
@@ -382,7 +384,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key)
         if (map == NULL || key == NULL)
                 return -EINVAL;
 
-        hash = hashfunc (key, map->size);
+        hash = hashfunc (key, map->size, map->seed);
         if (hash < 0)
                 return hash;
 
@@ -416,7 +418,7 @@ ssize_t hashmap_entry_by_key (hashmap_t map, const char *key, \
void **data)  if (!map || !key || !data)
                 return -EINVAL;
 
-        hash = hashfunc (key, map->size);
+        hash = hashfunc (key, map->size, map->seed);
         if (hash < 0)
                 return hash;
 
@@ -451,7 +453,7 @@ ssize_t hashmap_remove (hashmap_t map, const char *key)
         if (map == NULL || key == NULL)
                 return -EINVAL;
 
-        hash = hashfunc (key, map->size);
+        hash = hashfunc (key, map->size, map->seed);
         if (hash < 0)
                 return hash;
 
-- 
1.7.9.5

https://banu.com/bugzilla/show_bug.cgi?id=110#c5

> From f1189daec6866efeb44f24073cd19d7ece86e537 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 15 Mar 2013 13:10:01 +0100
Subject: [PATCH 2/2] [BB#110] limit the number of headers per request to
 prevent DoS

Based on patch provided by gpernot@praksys.org on bugzilla.

Signed-off-by: Michael Adam <obnox@samba.org>
---
 src/reqs.c |   17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/reqs.c b/src/reqs.c
index 2de43a8..af014ba 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -611,12 +611,19 @@ add_header_to_connection (hashmap_t hashofheaders, char \
*header, size_t len)  }
 
 /*
+ * define max number of headers.
+ * big enough to handle legitimate cases, but limited to avoid DoS
+ */
+#define MAX_HEADERS 10000
+
+/*
  * Read all the headers from the stream
  */
 static int get_all_headers (int fd, hashmap_t hashofheaders)
 {
         char *line = NULL;
         char *header = NULL;
+        int count;
         char *tmp;
         ssize_t linelen;
         ssize_t len = 0;
@@ -625,7 +632,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
         assert (fd >= 0);
         assert (hashofheaders != NULL);
 
-        for (;;) {
+        for (count = 0; count < MAX_HEADERS; count++) {
                 if ((linelen = readline (fd, &line)) <= 0) {
                         safefree (header);
                         safefree (line);
@@ -691,6 +698,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
 
                 safefree (line);
         }
+
+        /*
+         * if we get there, this is we reached MAX_HEADERS count
+         * bail out with error
+         */
+        safefree (header);
+        safefree (line);
+        return -1;
 }
 
 /*
-- 
1.7.9.5


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic