| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Sep 2010 13:08:13 -0700 From: Rick Jones <rick.jones2@...com> To: Willy Tarreau <w@....eu> CC: Herbert Xu <herbert@...dor.hengli.com.au>, netdev@...r.kernel.org Subject: Re: TCP: orphans broken by RFC 2525 #2.17 Willy Tarreau wrote: > Hi Herbert, > > On Mon, Sep 27, 2010 at 04:02:22PM +0800, Herbert Xu wrote: > >>Willy Tarreau <w@....eu> wrote: >> >>>Looking more closely, I noticed that in traces showing the issue, >>>the client was sending an additional CRLF after the data in a >>>separate packet (permitted eventhough not recommended). >> >>Where is this permitted? RFC2616 says: >> >> Certain buggy HTTP/1.0 client implementations generate >> extra CRLF's after a POST request. To restate what is >> explicitly forbidden by the BNF, an HTTP/1.1 client MUST >> NOT preface or follow a request with an extra CRLF. > > > And the paragraph just before says : > > In the interest of robustness, servers SHOULD ignore any empty > line(s) received where a Request-Line is expected. In other words, if > the server is reading the protocol stream at the beginning of a > message and receives a CRLF first, it should ignore the CRLF. It is the HTTP server code being addressed there, not the underlying TCP stack is it not? rick jones -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists