2011/8/23 Lazy <lazy...@gmail.com>:
> 2011/8/23 Stefan Fritsch <s...@sfritsch.de>:
>> http://seclists.org/fulldisclosure/2011/Aug/175
>>
>> I haven't looked into it so far. And I am not sure I will have time today.
>>
>
> it is sending HEAD requests with lots of ranges
> HEAD / HTTP/1.1
> Host: xxxx
> Range:bytes=0-,5-1,5-2,5-3,.....
>
> the code in
> ap_byterange_filter()
> http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
> creates a bucket for every range element,
>
> the number of buckets is limited by the size of the document in
> published code but I think it can be enchanced by
> using 1-2,1-3,..1-doc_size,2-1,2-2, 2-doc_size
>
> doeas Range in HEAD request have any sense at all ?
quick fix bellow made it immune to this dos
diff -ru modules/http/byterange_filter.c.org
modules/http/byterange_filter.c |less
--- byterange_filter.c 2011-02-13 15:32:19.000000000 +0100
+++ modules/http/byterange_filter.c 2011-08-23 15:54:37.000000000 +0200
@@ -320,6 +320,7 @@
const char *if_range;
const char *match;
const char *ct;
+ char * tmp;
int num_ranges;
if (r->assbackwards) {
@@ -373,14 +374,13 @@
}
}
- if (!ap_strchr_c(range, ',')) {
- /* a single range */
- num_ranges = 1;
- }
- else {
- /* a multiple range */
- num_ranges = 2;
- }
+ /* count ranges, exit if more then 10 */
+ tmp=range+6;
+ num_ranges=1;
+ while(*++tmp)
+ if(*tmp == ',')
+ if(++num_ranges > 10)
+ return 0;
r->status = HTTP_PARTIAL_CONTENT;
r->range = range + 6;
