Security issue: negative content-length

Bug #926046 reported by Eamonn O'Toole on 2012-02-03
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
High
Unassigned

Bug Description

This is the first of two bugs split-out of bug 903232. From that bug:

Regarding the negative length of the Content-Length header: this could cause a denial of service because the service would never be able to read until '-1' bytes and the server would be forced to timeout. Of course this is really no different than a user sending a POST with a Content-Length of 1 and never sending any data also causing a timeout. However, the difference here is that this could potentially be used by another yet to be found or in the future to be introduced vulnerability such as an integer overflow where having a negative Content-Length could potentially cause a greater vulnerability to occur. Since it's invalid to have a negative content length and it has the potential to cause problems later it would be best to fix it now.

Eamonn O'Toole (eamonn-otoole) wrote :

From John Dickinson:

3) The Content-Length issue should be resolved by returning an error (Content-Length required). SInce we're using an evented server, it won't cause any DoS issues.

Thierry Carrez (ttx) on 2012-02-03
Changed in swift:
importance: Undecided → High
status: New → Confirmed

I am getting a timeout error upon sending -1 Content-Length after the default 60 seconds. From proxy.error log:

Feb 3 12:05:27 ubuntu proxy-server ERROR Client read timeout (60s) (txn: tx576de723117b4c11926d5fc4e275ff51) (client_ip: 172.16.12.1)

Additionally I also get a Request Timeout error back to the client:

------------------------------------------------------------

PUT /v1/AUTH_a/acontainer/test.xml HTTP/1.1
X-Auth-Token: AUTH_token
Content-Type: application/xml
Host: 172.16.12.149:8080
Content-Length: -1

<test></test>

HTTP/1.1 408 Request Timeout
Content-Length: 98
Content-Type: text/plain; charset=UTF-8
Date: Fri, 03 Feb 2012 20:05:27 GMT

408 Request Timeout

The server has waited too long for the request to be sent by the client.

------------------------------------------------------------

Upon changing the source code in /swift/common/constrains to include the check, starting at line 103:

    if req.content_length < 0:
        return HTTPBadRequest(request=req, content_type='text/plain')

I immediately receive a 400 Bad Request:

------------------------------------------------------------

PUT /v1/AUTH_a/acontainer/test.xml HTTP/1.1
X-Auth-Token: AUTH_token
Content-Type: application/xml
Host: 172.16.12.149:8080
Content-Length: -1

<test></test>

HTTP/1.1 400 Bad Request
Content-Length: 119
Content-Type: text/plain; charset=UTF-8
Date: Fri, 03 Feb 2012 20:11:33 GMT

400 Bad Request

The server could not comply with the request since it is either malformed or otherwise incorrect.

------------------------------------------------------------

Thierry Carrez (ttx) wrote :

OK, I propose we open this one -- this is more a strengthening thing than an exploitable issue IIUC.

Robert Clark (robert-clark) wrote :

Patch in place and no massive impact from vulnerability as far as I can see.

Happy to open this one up.

Thierry Carrez (ttx) on 2012-02-09
visibility: private → public
Changed in swift:
milestone: none → 1.4.6
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers