J. K.(openbsd.l...@krottmayer.com) on 2021.10.21 11:55:47 +0200:
> Hi,
> 
> I don't know if this is a real issue from OpenBSD's httpd(8).
> Tried some requests to httpd(8) for the purpose of education.
> 
> Simple tried the following request:
> 
> $ telnet 10.42.42.183 80
> Trying 10.42.42.183...
> Connected to 10.42.42.183.
> Escape character is '^]'.
> GET / HTTP/1.1
> fasfsdfsfd
> 
> Here without the colon httpd(8) return an internal server
> error.
> 
> Can somebody verify this behavior?
> 
> Noticed with OpenBSD 7.0. Is this a correct behavior (RFC
> conform)?
> 
> Thanks in advance!
> 
> Kind regrads,
> 
> J. K.

Hi,

yes. The server should probably answer with a "Bad Request" instead.

Fix below. ok?

diff --git usr.sbin/httpd/server_http.c usr.sbin/httpd/server_http.c
index 732add41283..fce3c21af72 100644
--- usr.sbin/httpd/server_http.c
+++ usr.sbin/httpd/server_http.c
@@ -268,8 +268,14 @@ server_read_http(struct bufferevent *bev, void *arg)
                else if (*key == ' ' || *key == '\t')
                        /* Multiline headers wrap with a space or tab */
                        value = NULL;
-               else
+               else {
+                       /* Not a multiline header, should have a : */
                        value = strchr(key, ':');
+                       if (value == NULL) {
+                               server_abort_http(clt, 400, "malformed");
+                               goto abort;
+                       }
+               }
                if (value == NULL) {
                        if (clt->clt_line == 1) {
                                server_abort_http(clt, 400, "malformed");

Reply via email to