tempesta icon indicating copy to clipboard operation
tempesta copied to clipboard

Published 20 hours ago verified publisher icon tempesta-tech

TCP urgent data not handled correctly

Open milabs opened this issue 7 years ago • 3 comments

There is (still) error in handling URG (urgent) data with TCP.

The following sample results in getting HTTP/1.1 200 OK from the http://tempesta-tech.com but same sample for NGINX should give HTTP/1.1 400 Bad Request result.

#include <stdio.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>

int main()
{
	int sd;
	struct sockaddr_in sin;

	sin.sin_port = htons(80);
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = inet_addr("93.115.28.125"); // <-- change it to NGINX address for test 

	sd = socket(AF_INET, SOCK_STREAM, 0);
	if (sd == -1) {
		perror("1");
		exit(-1);
	}
	if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
		perror("2");
		exit(-2);
	}

	const char *str1 = "GET";
	const char *str2 = "/ HTTP/1.0\r\n\r\n";

	send(sd, str1, strlen(str1), 0);
	send(sd, " ", 1, MSG_OOB); // <-- HERE
	send(sd, str2, strlen(str2), 0);

	char data[0x1000];
	int n = read(sd, data, sizeof(data));
	if (n == -1) {
		perror("3");
		exit(-3);
	}

	data[n] = 0;
	fprintf(stdout, "%s", data);

	return 0;
}

Take a look at MSG_OOB line. Linux kernel handles such data in a specific way so the last byte of OOB data will be removed from the stream. Probably, this incorrect behavior may be used for bypassing filters...

UPDATE (good links to read):

  • RFC 793, RFC 1122, RFC 6093 (the actual one)
  • http://blog.mecheye.net/2017/10/urg/
  • https://msdn.microsoft.com/en-us/library/ms740102(v=vs.85).aspx
  • http://www.serverframework.com/asynchronousevents/2011/10/out-of-band-data-and-overlapped-io.html

milabs avatar Dec 19 '17 06:12 milabs

@milabs thank you for the report! We have TODO https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/sock.c#L767 for a while and this must be fixed.

krizhanovsky avatar Dec 19 '17 14:12 krizhanovsky

Yeah, I saw it. Created by me just to have issue and the sample.

Sent from my iPhone

On Dec 19, 2017, at 18:15, Alexander Krizhanovsky [email protected] wrote:

@milabs thank you for the report! We have TODO https://github.com/tempesta-tech/tempesta/blob/master/tempesta_fw/sock.c#L767 for a while and this must be fixed.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

milabs avatar Dec 19 '17 16:12 milabs

Tempesta is about HTTP(S) which has nothing with urgent data, so just check the URG and close a client connection, possibly with a warning. No need to process even inline urgent data.

Please develop a functional test or create a task for it

krizhanovsky avatar Feb 18 '18 15:02 krizhanovsky