Boost :

Subject: [boost] [Beast] Security issue note
From: Artyom Beilis (artyom.beilis_at_[hidden])
Date: 2017-06-27 20:40:57

• Next message: Vinnie Falco: "Re: [boost] [Beast] Questions Before Review"
• Previous message: Artyom Beilis: "Re: [boost] [Beast] Questions Before Review"
• Next in thread: Vinnie Falco: "Re: [boost] [Beast] Security issue note"
• Reply: Vinnie Falco: "Re: [boost] [Beast] Security issue note"

Looking into parser/body code I noticed:

parser:

   void
   on_body(boost::optional<
       std::uint64_t> const& content_length,
           error_code& ec)
   {
       wr_.emplace(m_);
       wr_->init(content_length, ec);
   }

string_body:

      void
       init(boost::optional<
           std::uint64_t> content_length, error_code& ec)
       {
           if(content_length)
           {
               if(*content_length > (std::numeric_limits<
                       std::size_t>::max)())
               {
                   ec = make_error_code(
                       errc::not_enough_memory);
                   return;
               }
               ec.assign(0, ec.category());
               body_.reserve(static_cast<
                   std::size_t>(*content_length));
           }
       }

Basically I can exhaust the memory of the server and kill it by
providing huge content length from several connections and lead to its
crash.

Reasonable and configurable limit should be provided for content length.

Artyom Beilis

• Next message: Vinnie Falco: "Re: [boost] [Beast] Questions Before Review"
• Previous message: Artyom Beilis: "Re: [boost] [Beast] Questions Before Review"
• Next in thread: Vinnie Falco: "Re: [boost] [Beast] Security issue note"
• Reply: Vinnie Falco: "Re: [boost] [Beast] Security issue note"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk