[Asterisk-code-review] AST-2018-007: iostreams potential DoS when client connection... (asterisk[15.4])

Kevin Harwell asteriskteam at digium.com
Mon Jun 11 15:52:22 CDT 2018


Kevin Harwell has submitted this change and it was merged. ( https://gerrit.asterisk.org/9171 )

Change subject: AST-2018-007: iostreams potential DoS when client connection closed prematurely
......................................................................

AST-2018-007: iostreams potential DoS when client connection closed prematurely

Before Asterisk sends an HTTP response (at least in the case of errors),
it attempts to read & discard the content of the request. If the client
lies about the Content-Length, or the connection is closed from the
client side before "Content-Length" bytes are sent, the request handling
thread will busy loop.

ASTERISK-27807

Change-Id: Ib26095d3d0d515b2177bf231989d3ead7ed423b4
---
M main/iostream.c
1 file changed, 9 insertions(+), 2 deletions(-)

Approvals:
  Jenkins2: Verified
  Kevin Harwell: Looks good to me, approved; Approved for Submit



diff --git a/main/iostream.c b/main/iostream.c
index aaa74fa..9363c31 100644
--- a/main/iostream.c
+++ b/main/iostream.c
@@ -197,11 +197,18 @@
 					}
 				}
 				break;
+			case SSL_ERROR_SYSCALL:
+				/* Some non-recoverable I/O error occurred. The OpenSSL error queue may
+				 * contain more information on the error. For socket I/O on Unix systems,
+				 * consult errno for details. */
+				ast_debug(1, "TLS non-recoverable I/O error occurred: %s, %s\n", ERR_error_string(sslerr, err),
+					ssl_error_to_string(sslerr, res));
+				return -1;
 			default:
 				/* Report EOF for an undecoded SSL or transport error. */
 				ast_debug(1, "TLS transport or SSL error reading data:  %s, %s\n", ERR_error_string(sslerr, err),
 					ssl_error_to_string(sslerr, res));
-				return 0;
+				return -1;
 			}
 			if (!ms) {
 				/* Report EOF for a timeout */
@@ -317,7 +324,7 @@
 
 	while (remaining) {
 		ret = ast_iostream_read(stream, buf, remaining > sizeof(buf) ? sizeof(buf) : remaining);
-		if (ret < 0) {
+		if (ret <= 0) {
 			return ret;
 		}
 		remaining -= ret;

-- 
To view, visit https://gerrit.asterisk.org/9171
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 15.4
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib26095d3d0d515b2177bf231989d3ead7ed423b4
Gerrit-Change-Number: 9171
Gerrit-PatchSet: 1
Gerrit-Owner: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Jenkins2
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Sean Bright <sean.bright at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180611/632097db/attachment-0001.html>


More information about the asterisk-code-review mailing list