oss-sec mailing list archives
Re: Polipo: denial-of-service using range
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 19 Jul 2021 14:18:05 -0400
I found a vulnerability in the Polipo [1],
lightweight, caching web proxy.
...
Polipo doesn't ignore/reject the malformed header. Instead, it has
an assertion:
server.c:1473: assert(from >= 0 && (to < 0 || to > from));
So, a malformed Range header ("Range: bytes=3-2" for example) will
cause an assertion failed. This error handling allows an attacker
to cause a denial of service.
I would be interested to know what happens when NDEBUG is defined so the assert goes away. Does the server crash, does it lead to memory corruption, an information leakage (like a private key), or something else? Jeff
Current thread:
- Re: Polipo: denial-of-service using range John Helmert III (Jul 18)
- <Possible follow-ups>
- Re: Polipo: denial-of-service using range Jeffrey Walton (Jul 19)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 01)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Aug 03)
- Re: Polipo: denial-of-service using range John Helmert III (Aug 13)
- Re: Polipo: denial-of-service using range Alexandr Savca (chinarulezzz) (Jul 28)