[core] limit con->uri.authority < 1024 octets

(expect < 256 octets for DNS name) Since limit is imposed, can use buffer_clear() instead of buffer_reset() for con->uri.authority and con->server_name. (Also, con->uri.scheme is limited to "http" and "https", so use buffer_clear() for it, too)
3 years ago · cef6ee675d
3 changed files with 32 additions and 12 deletions
--- a/src/connections.c
+++ b/src/connections.c
@ -64,7 +64,7 @@ static int connection_del(server *srv, connection *con) {

 	if (-1 == con->ndx) return -1;

-	buffer_reset(con->uri.authority);
+	buffer_clear(con->uri.authority);
 	buffer_reset(con->uri.path);
 	buffer_reset(con->uri.query);
 	buffer_reset(con->request.orig_uri);
@ -619,18 +619,19 @@ int connection_reset(server *srv, connection *con) {

 	/* CLEAN(request.orig_uri); */

-	CLEAN(uri.scheme);
-	/* CLEAN(uri.authority); */
 	/* CLEAN(uri.path); */
 	CLEAN(uri.path_raw);
 	/* CLEAN(uri.query); */

 	CLEAN(parse_request);

-	CLEAN(server_name);
-	/*CLEAN(proto);*//* set to default in connection_accepted() */
 #undef CLEAN

+	buffer_clear(con->uri.scheme);
+	/*buffer_clear(con->proto);*//* set to default in connection_accepted() */
+	/*buffer_clear(con->uri.authority);*/
+	buffer_clear(con->server_name);
+
 	con->request.http_host = NULL;
 	con->request.content_length = 0;
 	con->request.te_chunked = 0;
@ -1126,7 +1127,7 @@ int connection_state_machine(server *srv, connection *con) {

 			break;
 		case CON_STATE_REQUEST_END: /* transient */
-			buffer_reset(con->uri.authority);
+			buffer_clear(con->uri.authority);
 			buffer_reset(con->uri.path);
 			buffer_reset(con->uri.query);
 			buffer_reset(con->request.orig_uri);
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@ -327,6 +327,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
    const char *servername;
    handler_ctx *hctx = (handler_ctx *) SSL_get_app_data(ssl);
    connection *con = hctx->con;
+    size_t len;
    UNUSED(al);

    buffer_copy_string(con->uri.scheme, "https");
@ -340,8 +341,14 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
 #endif
        return SSL_TLSEXT_ERR_NOACK;
    }
+    len = strlen(servername);
+    if (len >= 1024) { /*(expecting < 256)*/
+        log_error_write(srv, __FILE__, __LINE__, "sss", "SSL:",
+                        "SNI name too long", servername);
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
    /* use SNI to patch mod_openssl config and then reset COMP_HTTP_HOST */
-    buffer_copy_string(con->uri.authority, servername);
+    buffer_copy_string_len(con->uri.authority, servername, len);
    buffer_to_lower(con->uri.authority);

    con->conditional_is_valid[COMP_HTTP_SCHEME] = 1;
@ -350,7 +357,7 @@ network_ssl_servername_callback (SSL *ssl, int *al, server *srv)
    /* reset COMP_HTTP_HOST so that conditions re-run after request hdrs read */
    /*(done in response.c:config_cond_cache_reset() after request hdrs read)*/
    /*config_cond_cache_reset_item(con, COMP_HTTP_HOST);*/
-    /*buffer_reset(con->uri.authority);*/
+    /*buffer_clear(con->uri.authority);*/

    if (NULL == hctx->conf.ssl_pemfile_x509
        || NULL == hctx->conf.ssl_pemfile_pkey) {
--- a/src/request.c
+++ b/src/request.c
@ -348,10 +348,6 @@ int http_request_host_policy (connection *con, buffer *b, const buffer *scheme)
                && 0 != http_request_host_normalize(b, scheme_port(scheme))));
 }

-#if 0
-#define DUMP_HEADER
-#endif
-
 static int http_request_split_value(array *vals, const char *current, size_t len) {
 	int state = 0;
 	const char *token_start = NULL, *token_end = NULL;
@ -468,6 +464,14 @@ static int parse_single_header(server *srv, connection *con, parse_header_state
      case HTTP_HEADER_HOST:
        if (!(con->request.htags & HTTP_HEADER_HOST)) {
            saveb = &con->request.http_host;
+            if (vlen >= 1024) { /*(expecting < 256)*/
+                if (srv->srvconf.log_request_header_on_error) {
+                    log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
+                    log_error_write(srv, __FILE__, __LINE__, "Sb",
+                                    "request-header:\n", con->request.request);
+                }
+                return 0; /* invalid header */
+            }
        }
        else if (state->reqline_host) {
            /* ignore all Host: headers as we got Host in request line */
@ -867,6 +871,14 @@ static size_t http_request_parse_reqline(server *srv, connection *con, parse_hea

 	if (state->reqline_host) {
 		/* Insert as host header */
+		if (state->reqline_hostlen >= 1024) { /*(expecting < 256)*/
+			if (srv->srvconf.log_request_header_on_error) {
+				log_error_write(srv, __FILE__, __LINE__, "s", "uri-authority too long -> 400");
+				log_error_write(srv, __FILE__, __LINE__, "Sb",
+						"request-header:\n", con->request.request);
+			}
+			return 0;
+		}
 		http_header_request_set(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"), state->reqline_host, state->reqline_hostlen);
 		con->request.http_host = http_header_request_get(con, HTTP_HEADER_HOST, CONST_STR_LEN("Host"));
 	}