Boost logo

Boost :

Subject: Re: [boost] [Beast] Security issue note
From: Artyom Beilis (artyom.beilis_at_[hidden])
Date: 2017-06-28 05:25:25


On Wed, Jun 28, 2017 at 12:30 AM, Vinnie Falco via Boost
<boost_at_[hidden]> wrote:
> On Tue, Jun 27, 2017 at 1:40 PM, Artyom Beilis via Boost
> <boost_at_[hidden]> wrote:
>> Looking into parser/body code I noticed:
>> ...
>> Basically I can exhaust the memory of the server and kill it by
>> providing huge content length from several connections and lead to its
>> crash.
>>
>> Reasonable and configurable limit should be provided for content length.
>
> That's reasonable although note that you can put a max buffer size on
> the dynamic buffers that come with Beast, and it will naturally take
> care of limits. For example:
>
> beast::http::request<beast::http::dynamic_body> req{1024 * 1024};
>
> will create a request that has a 1MB limit on the body. The moment the
> reader goes to resize the dynamic buffer, it will return a
> beast::http::error::buffer_overflow error.
>

It does not fix security flaw of using http::string_body!

> Still, your suggestion to add something like `void
> basic_parser::max_content_length(std::size_t)` is a good idea. Thanks!
>

Note: the default and reasonable max_context_length must be defined by default.

std::size_t isn't good for max_content_length, it should be unsigned long long
or uint64_t because if you use it for file upload on 32 bit system you want to
support files above 4GB.

Regards,

Artyom Beilis


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk