AST-2018-007: iostreams potential DoS when client connection closed prematurely

Before Asterisk sends an HTTP response (at least in the case of errors), it attempts to read & discard the content of the request. If the client lies about the Content-Length, or the connection is closed from the client side before "Content-Length" bytes are sent, the request handling thread will busy loop. ASTERISK-27807 Change-Id: I945c5fc888ed92be625b8c35039fc6d2aa89c762
2025-10-31 02:37:10 +00:00 · 2018-04-16 15:13:58 -04:00
parent 9f2eb17005
commit b649682caa
1 changed files with 9 additions and 2 deletions
--- a/main/iostream.c
+++ b/main/iostream.c
@@ -208,11 +208,18 @@ static ssize_t iostream_read(struct ast_iostream *stream, void *buf, size_t size
 					}
 				}
 				break;
+			case SSL_ERROR_SYSCALL:
+				/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
+				 * contain more information on the error. For socket I/O on Unix systems,
+				 * consult errno for details. */
+				ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
+					ssl_error_to_string(sslerr, res));
+				return -1;
 			default:
 				/* Report EOF for an undecoded SSL or transport error. */
 				ast_debug(1, "TLS transport or SSL error reading data:  %s, %s\n", ERR_error_string(sslerr, err),
 					ssl_error_to_string(sslerr, res));
-				return 0;
+				return -1;
 			}
 			if (!ms) {
 				/* Report EOF for a timeout */
@@ -328,7 +335,7 @@ ssize_t ast_iostream_discard(struct ast_iostream *stream, size_t size)

 	while (remaining) {
 		ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
-		if (ret < 0) {
+		if (ret <= 0) {
 			return ret;
 		}
 		remaining -= ret;