[Bug 64866] New: Too small Content-Length validation breaks SSTP

Mon, 02 Nov 2020 08:22:43 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64866

            Bug ID: 64866
           Summary: Too small Content-Length validation breaks SSTP
           Product: Apache httpd-2
           Version: 2.4.46
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Created attachment 37544
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37544&action=edit
Patch that utilizes strtoull to validate Content-Length

Too small Content-Length validation breaks SSTP

We believe a recently added Content-Length check has started breaking SSTP
connections.
Tunneling SSTP though httpd would work for us in httpd 2.4.39 but with httpd
2.4.46 we
see the following error in the logs:
  [core:debug] protocol.c(1395): AH10242: client sent invalid Content-Length
(18446744073709551615): /sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/

The SSTP spec
(https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/7e5b2134-b4bf-435a-85bf-bfe0313fd889)
specifies that a Content-Length of 18446744073709551615 (ULONGLONG_MAX) must be
set on
all SSTP connections.

Commit 2efe92b51dc4c33c907c9b8c17cb5038aad8038c "core, protocol: reject invalid
Content-Length ASAP."
(https://github.com/apache/httpd/commit/2efe92b51dc4c33c907c9b8c17cb5038aad8038c)
has added a Content-Length check that (inadvertently?) restricts the
Content-Length to a
signed long. The commit calls ap_parse_strict_length that ultimately calls
strtol to verify
the input. This will give an ERANGE error on ULONGLONG_MAX and thus prematurely
end the
connection.

A possible patch (that replaces strtol to strtoull) is attached.

I should probably confess that we're using apache httpd as a reverse proxy for
sstp with a custom written mod_proxy_sstp. Unfortunately the content-length
check happens before mod_proxy_sstp gets called and so our mod is never called
anymore.

We would be very grateful if the Content-Length check could be made more
lenient again so
it will support protocols such as SSTP once more.

kind regards
Karsten

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to