Nmap Development mailing list archives

Re: http.lua not handling malformed HTTP response gracefully

From: David Fifield <david () bamsoftware com>
Date: Wed, 8 Jul 2009 21:16:21 -0600

On Thu, Jul 02, 2009 at 08:41:17PM +0000, Brandon Enright wrote:

Hey all, I ran into a machine on campus (Cannon Printer) that causes
NSE to hang forever in a busy-loop.  Since the script never yields even
host timeout doesn't help.

Thanks to David's sharp eye and troubleshooting genius, I have attached
a simple test case.

You can make a listener with:

sudo ncat -l 80 --sh-exec "cat bad-http.txt"

And you can scan it with:

nmap --script=html-title -p 80 -d2 localhost

With high debugging on, you should see something like:

...
NSOCK (0.1030s) Read request from IOD #1 [x.y.179.88:80] (timeout: 7000ms) EID 34
NSOCK (0.1030s) nsock_loop() started (timeout=50ms). 1 events pending
NSOCK (0.1030s) Callback: READ EOF for EID 34 [x.y.179.88:80]
NSE: TCP x.y.1.115:38187 > x.y.179.88:80 | CLOSE
<hang forever at 100% CPU here>

David points out that the likely culprit is that the HTTP response
includes "Transfer-Encoding: chunked" but the response is not actually
chunked.


I believe this is fixed in r14121. I added much more robust handling of
the chunked transfer encoding. Unless I made an implementation error, it
supports everything from section 3.6.1 of RFC 2616. It also reports an
error if a body is truncated, where the old code would silently ignore
that.

This bug prevented me from completing any of Patrick's NSE performance
tests, but with it fixed I completed a test for the first time.

I made some test files with different varieties of chunked bodies. I'll
try to attach them. Here's a summary of how the new code differs from
the old in the test cases. The old code is on the left, the new on the
right.

        r14120                  r14121
1. Not chunked; error expected
        hang                    error reported
2. Properly chunked, no chunk-extensions, no LWS
        success                 success
3. Properly chunked, no chunk-extensions, extra space
        success                 success
4. Properly chunked, chunk-extensions without quoted-strings
        hang                    success
5. Properly chunked, chunk-extensions with quoted-strings
        hang                    success
6. chunk-extensions with quoted-strings, \ at end of string, error expected
        hang                    error reported
7. chunk-extensions with quoted-strings, non-ASCII following backslash, error expected
        hang                    error reported
8. chunk-extensions with quoted-strings and control characters, error expected
        hang                    error reported
9. Inaccurate chunk size, error expected
        silent truncation       error reported

David Fifield

Attachment: http-chunked-tests.tar.gz
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

http.lua not handling malformed HTTP response gracefully Brandon Enright (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully Patrick Donnelly (Jul 02)
  - Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 02)
- Re: http.lua not handling malformed HTTP response gracefully David Fifield (Jul 08)