1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
https://banu.com/bugzilla/show_bug.cgi?id=110#c4
From 526215dbb4abb1cff9a170343fa50dbda9492eb1 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 15 Mar 2013 12:34:01 +0100
Subject: [PATCH 1/2] [BB#110] secure the hashmaps by adding a seed
Based on patch provided by gpernot@praksys.org on bugzilla.
Signed-off-by: Michael Adam <obnox@samba.org>
---
configure.ac | 2 ++
src/child.c | 1 +
src/hashmap.c | 14 ++++++++------
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index ecbcba0..cc40e85 100644
--- a/configure.ac
+++ b/configure.ac
@@ -205,6 +205,8 @@ AC_CHECK_FUNCS([gethostname inet_ntoa memchr memset select socket strcasecmp \
AC_CHECK_FUNCS([isascii memcpy setrlimit ftruncate regcomp regexec])
AC_CHECK_FUNCS([strlcpy strlcat])
+AC_CHECK_FUNCS([time rand srand])
+
dnl Enable extra warnings
DESIRED_FLAGS="-fdiagnostics-show-option -Wall -Wextra -Wno-unused-parameter -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Wfloat-equal -Wundef -Wformat=2 -Wlogical-op -Wmissing-include-dirs -Wformat-nonliteral -Wold-style-definition -Wpointer-arith -Waggregate-return -Winit-self -Wpacked --std=c89 -ansi -pedantic -Wno-overlength-strings -Wc++-compat -Wno-long-long -Wno-overlength-strings -Wdeclaration-after-statement -Wredundant-decls -Wmissing-noreturn -Wshadow -Wendif-labels -Wcast-qual -Wcast-align -Wwrite-strings -Wp,-D_FORTIFY_SOURCE=2 -fno-common"
diff --git a/src/child.c b/src/child.c
index 34e20e0..0d778d9 100644
--- a/src/child.c
+++ b/src/child.c
@@ -196,6 +196,7 @@ static void child_main (struct child_s *ptr)
}
ptr->connects = 0;
+ srand(time(NULL));
while (!config.quit) {
ptr->status = T_WAITING;
diff --git a/src/hashmap.c b/src/hashmap.c
index f46fdcb..8cf7c6b 100644
--- a/src/hashmap.c
+++ b/src/hashmap.c
@@ -50,6 +50,7 @@ struct hashbucket_s {
};
struct hashmap_s {
+ uint32_t seed;
unsigned int size;
hashmap_iter end_iterator;
@@ -65,7 +66,7 @@ struct hashmap_s {
*
* If any of the arguments are invalid a negative number is returned.
*/
-static int hashfunc (const char *key, unsigned int size)
+static int hashfunc (const char *key, unsigned int size, uint32_t seed)
{
uint32_t hash;
@@ -74,7 +75,7 @@ static int hashfunc (const char *key, unsigned int size)
if (size == 0)
return -ERANGE;
- for (hash = tolower (*key++); *key != '\0'; key++) {
+ for (hash = seed; *key != '\0'; key++) {
uint32_t bit = (hash & 1) ? (1 << (sizeof (uint32_t) - 1)) : 0;
hash >>= 1;
@@ -104,6 +105,7 @@ hashmap_t hashmap_create (unsigned int nbuckets)
if (!ptr)
return NULL;
+ ptr->seed = (uint32_t)rand();
ptr->size = nbuckets;
ptr->buckets = (struct hashbucket_s *) safecalloc (nbuckets,
sizeof (struct
@@ -201,7 +203,7 @@ hashmap_insert (hashmap_t map, const char *key, const void *data, size_t len)
if (!data || len < 1)
return -ERANGE;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -382,7 +384,7 @@ ssize_t hashmap_search (hashmap_t map, const char *key)
if (map == NULL || key == NULL)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -416,7 +418,7 @@ ssize_t hashmap_entry_by_key (hashmap_t map, const char *key, void **data)
if (!map || !key || !data)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
@@ -451,7 +453,7 @@ ssize_t hashmap_remove (hashmap_t map, const char *key)
if (map == NULL || key == NULL)
return -EINVAL;
- hash = hashfunc (key, map->size);
+ hash = hashfunc (key, map->size, map->seed);
if (hash < 0)
return hash;
--
1.7.9.5
https://banu.com/bugzilla/show_bug.cgi?id=110#c5
From f1189daec6866efeb44f24073cd19d7ece86e537 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 15 Mar 2013 13:10:01 +0100
Subject: [PATCH 2/2] [BB#110] limit the number of headers per request to
prevent DoS
Based on patch provided by gpernot@praksys.org on bugzilla.
Signed-off-by: Michael Adam <obnox@samba.org>
---
src/reqs.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/reqs.c b/src/reqs.c
index 2de43a8..af014ba 100644
--- a/src/reqs.c
+++ b/src/reqs.c
@@ -611,12 +611,19 @@ add_header_to_connection (hashmap_t hashofheaders, char *header, size_t len)
}
/*
+ * define max number of headers.
+ * big enough to handle legitimate cases, but limited to avoid DoS
+ */
+#define MAX_HEADERS 10000
+
+/*
* Read all the headers from the stream
*/
static int get_all_headers (int fd, hashmap_t hashofheaders)
{
char *line = NULL;
char *header = NULL;
+ int count;
char *tmp;
ssize_t linelen;
ssize_t len = 0;
@@ -625,7 +632,7 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
assert (fd >= 0);
assert (hashofheaders != NULL);
- for (;;) {
+ for (count = 0; count < MAX_HEADERS; count++) {
if ((linelen = readline (fd, &line)) <= 0) {
safefree (header);
safefree (line);
@@ -691,6 +698,14 @@ static int get_all_headers (int fd, hashmap_t hashofheaders)
safefree (line);
}
+
+ /*
+ * if we get there, this is we reached MAX_HEADERS count
+ * bail out with error
+ */
+ safefree (header);
+ safefree (line);
+ return -1;
}
/*
--
1.7.9.5
|