Re: Bug: RFC 7230 Section 3.3.3 violation in httpd header parsing enables TE.CL Request Smuggling

Mon, 13 Apr 2026 08:06:58 -0700 

On Mon, Apr 13, 2026 at 07:57:29AM -0700, James J. Lippard wrote:
> On Mon, Apr 13, 2026 at 04:32:20PM +0200, Claudio Jeker wrote:
> > Here is a diff that actually applies.
> > 
> > The 2nd hunk is enforcing that Content-Length and Transfer-Encoding:
> > chunked can not co-exist.
> > 
> > -- 
> > :wq Claudio
> > 
> > Index: server_http.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> > diff -u -p -r1.161 server_http.c
> > --- server_http.c   2 Mar 2026 19:24:58 -0000       1.161
> > +++ server_http.c   13 Apr 2026 14:18:54 -0000
> > @@ -396,8 +396,13 @@ server_read_http(struct bufferevent *bev
> >             }
> >  
> >             if (strcasecmp("Transfer-Encoding", key) == 0 &&
> > -               strcasecmp("chunked", value) == 0)
> > +               strcasecmp("chunked", value) == 0) {
> >                     desc->http_chunked = 1;
> > +           } else {
> > +                   server_abort_http(clt, 400,
> > +                       "malformed transfer-encoding");
> > +                   goto abort;
> > +           }
> >  
> >             if (clt->clt_line != 1) {
> >                     if ((hdr = kv_add(&desc->http_headers, key,
> > @@ -479,6 +484,10 @@ server_read_http(struct bufferevent *bev
> >             case HTTP_METHOD_TRACE:
> >             default:
> >                     server_abort_http(clt, 405, "method not allowed");
> > +                   return;
> > +           }
> > +           if (clt->clt_toread > 0 && desc->http_chunked) {
> > +                   server_abort_http(clt, 400, "malformed");
> >                     return;
> >             }
> >             if (desc->http_chunked) {
> 
> 
> Shouldn't that first part be (as in the original suggested patch):
> 
> if (strcasecmp("Transfer-Encoding", key) == 0) {
>     if (strcasecmp("chunked", value) == 0)
>         desc->http_chunked = 1;
>     else {
>         server_abort_http(clt, 400,
>             "malformed transfer-encoding");
>         goto abort;
>     }
> }
> 
> Otherwise you're going to produce a bunch of incorrect 400 responses for 
> other headers.
> 

Yes. I should not do 3 times at once.

-- 
:wq Claudio

Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
diff -u -p -r1.161 server_http.c
--- server_http.c       2 Mar 2026 19:24:58 -0000       1.161
+++ server_http.c       13 Apr 2026 15:04:20 -0000
@@ -395,9 +395,15 @@ server_read_http(struct bufferevent *bev
                        }
                }
 
-               if (strcasecmp("Transfer-Encoding", key) == 0 &&
-                   strcasecmp("chunked", value) == 0)
-                       desc->http_chunked = 1;
+               if (strcasecmp("Transfer-Encoding", key) == 0) {
+                       if (strcasecmp("chunked", value) == 0) {
+                               desc->http_chunked = 1;
+                       } else {
+                               server_abort_http(clt, 400,
+                                   "malformed transfer-encoding");
+                               goto abort;
+                       }
+               }
 
                if (clt->clt_line != 1) {
                        if ((hdr = kv_add(&desc->http_headers, key,
@@ -479,6 +485,10 @@ server_read_http(struct bufferevent *bev
                case HTTP_METHOD_TRACE:
                default:
                        server_abort_http(clt, 405, "method not allowed");
+                       return;
+               }
+               if (clt->clt_toread > 0 && desc->http_chunked) {
+                       server_abort_http(clt, 400, "malformed");
                        return;
                }
                if (desc->http_chunked) {

Reply via email to