mirror of
https://github.com/asterisk/asterisk.git
synced 2025-10-22 20:56:39 +00:00
AST-2018-007: iostreams potential DoS when client connection closed prematurely
Before Asterisk sends an HTTP response (at least in the case of errors), it attempts to read & discard the content of the request. If the client lies about the Content-Length, or the connection is closed from the client side before "Content-Length" bytes are sent, the request handling thread will busy loop. ASTERISK-27807 Change-Id: I945c5fc888ed92be625b8c35039fc6d2aa89c762
This commit is contained in:
committed by
Kevin Harwell
parent
9f2eb17005
commit
b649682caa
@@ -208,11 +208,18 @@ static ssize_t iostream_read(struct ast_iostream *stream, void *buf, size_t size
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case SSL_ERROR_SYSCALL:
|
||||||
|
/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
|
||||||
|
* contain more information on the error. For socket I/O on Unix systems,
|
||||||
|
* consult errno for details. */
|
||||||
|
ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
|
||||||
|
ssl_error_to_string(sslerr, res));
|
||||||
|
return -1;
|
||||||
default:
|
default:
|
||||||
/* Report EOF for an undecoded SSL or transport error. */
|
/* Report EOF for an undecoded SSL or transport error. */
|
||||||
ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err),
|
ast_debug(1, "TLS transport or SSL error reading data: %s, %s\n", ERR_error_string(sslerr, err),
|
||||||
ssl_error_to_string(sslerr, res));
|
ssl_error_to_string(sslerr, res));
|
||||||
return 0;
|
return -1;
|
||||||
}
|
}
|
||||||
if (!ms) {
|
if (!ms) {
|
||||||
/* Report EOF for a timeout */
|
/* Report EOF for a timeout */
|
||||||
@@ -328,7 +335,7 @@ ssize_t ast_iostream_discard(struct ast_iostream *stream, size_t size)
|
|||||||
|
|
||||||
while (remaining) {
|
while (remaining) {
|
||||||
ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
|
ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
|
||||||
if (ret < 0) {
|
if (ret <= 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
remaining -= ret;
|
remaining -= ret;
|
||||||
|
Reference in New Issue
Block a user