Nmap Development mailing list archives
Re: http.lua not handling malformed HTTP response gracefully
From: David Fifield <david () bamsoftware com>
Date: Wed, 8 Jul 2009 21:16:21 -0600
On Thu, Jul 02, 2009 at 08:41:17PM +0000, Brandon Enright wrote:
Hey all, I ran into a machine on campus (Cannon Printer) that causes NSE to hang forever in a busy-loop. Since the script never yields even host timeout doesn't help. Thanks to David's sharp eye and troubleshooting genius, I have attached a simple test case. You can make a listener with: sudo ncat -l 80 --sh-exec "cat bad-http.txt" And you can scan it with: nmap --script=html-title -p 80 -d2 localhost With high debugging on, you should see something like: ... NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34 NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80] NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE <hang forever at 100% CPU here> David points out that the likely culprit is that the HTTP response includes "Transfer-Encoding: chunked" but the response is not actually chunked.
I believe this is fixed in r14121. I added much more robust handling of the chunked transfer encoding. Unless I made an implementation error, it supports everything from section 3.6.1 of RFC 2616. It also reports an error if a body is truncated, where the old code would silently ignore that. This bug prevented me from completing any of Patrick's NSE performance tests, but with it fixed I completed a test for the first time. I made some test files with different varieties of chunked bodies. I'll try to attach them. Here's a summary of how the new code differs from the old in the test cases. The old code is on the left, the new on the right. r14120 r14121 1. Not chunked; error expected hang error reported 2. Properly chunked, no chunk-extensions, no LWS success success 3. Properly chunked, no chunk-extensions, extra space success success 4. Properly chunked, chunk-extensions without quoted-strings hang success 5. Properly chunked, chunk-extensions with quoted-strings hang success 6. chunk-extensions with quoted-strings, \ at end of string, error expected hang error reported 7. chunk-extensions with quoted-strings, non-ASCII following backslash, error expected hang error reported 8. chunk-extensions with quoted-strings and control characters, error expected hang error reported 9. Inaccurate chunk size, error expected silent truncation error reported David Fifield
Attachment:
http-chunked-tests.tar.gz
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 08)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)