OpenStack Object Storage (swift)

Security issue: negative content-length

Bug #926046 reported by Eamonn O'Toole
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Fix Released
High
Unassigned
OpenStack Object Storage (swift) 1.4.6

Bug Description

This is the first of two bugs split-out of bug 903232. From that bug:

Regarding the negative length of the Content-Length header: this could cause a denial of service because the service would never be able to read until '-1' bytes and the server would be forced to timeout. Of course this is really no different than a user sending a POST with a Content-Length of 1 and never sending any data also causing a timeout. However, the difference here is that this could potentially be used by another yet to be found or in the future to be introduced vulnerability such as an integer overflow where having a negative Content-Length could potentially cause a greater vulnerability to occur. Since it's invalid to have a negative content length and it has the potential to cause problems later it would be best to fix it now.

Revision history for this message
Eamonn O'Toole (eamonn-otoole) wrote :

From John Dickinson:

3) The Content-Length issue should be resolved by returning an error (Content-Length required). SInce we're using an evented server, it won't cause any DoS issues.

Thierry Carrez (ttx)
Changed in swift:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Jason Hullinger (jason-hullinger) wrote :

I am getting a timeout error upon sending -1 Content-Length after the default 60 seconds. From proxy.error log:

Feb 3 12:05:27 ubuntu proxy-server ERROR Client read timeout (60s) (txn: tx576de723117b4c11926d5fc4e275ff51) (client_ip: 172.16.12.1)

Additionally I also get a Request Timeout error back to the client:

------------------------------------------------------------

PUT /v1/AUTH_a/acontainer/test.xml HTTP/1.1
X-Auth-Token: AUTH_token
Content-Type: application/xml
Host: 172.16.12.149:8080
Content-Length: -1

<test></test>

HTTP/1.1 408 Request Timeout
Content-Length: 98
Content-Type: text/plain; charset=UTF-8
Date: Fri, 03 Feb 2012 20:05:27 GMT

408 Request Timeout

The server has waited too long for the request to be sent by the client.

------------------------------------------------------------

Upon changing the source code in /swift/common/constrains to include the check, starting at line 103:

    if req.content_length < 0:
        return HTTPBadRequest(request=req, content_type='text/plain')

I immediately receive a 400 Bad Request:

------------------------------------------------------------

PUT /v1/AUTH_a/acontainer/test.xml HTTP/1.1
X-Auth-Token: AUTH_token
Content-Type: application/xml
Host: 172.16.12.149:8080
Content-Length: -1

<test></test>

HTTP/1.1 400 Bad Request
Content-Length: 119
Content-Type: text/plain; charset=UTF-8
Date: Fri, 03 Feb 2012 20:11:33 GMT

400 Bad Request

The server could not comply with the request since it is either malformed or otherwise incorrect.

------------------------------------------------------------

Revision history for this message
John Dickinson (notmyname) wrote :

This bug was fixed in swift a few days ago. https://github.com/openstack/swift/commit/17b350674110865c83a2cc9b6659aa7ba18e7679

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, I propose we open this one -- this is more a strengthening thing than an exploitable issue IIUC.

Revision history for this message
Robert Clark (robert-clark) wrote :

Patch in place and no massive impact from vulnerability as far as I can see.

Happy to open this one up.

Thierry Carrez (ttx)
visibility: private → public
Changed in swift:
milestone: none → 1.4.6
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.