Denial of Service vulnerability, connection kept unclosed after sending S304/S404 response

dsauvage commented 1 year ago

Description

As we can see in src/core/aws-server-http_utils.adb:1596

         if F_Status in Up_To_Date .. Not_Found then
            if F_Status = Up_To_Date then
               --  [RFC 2616 - 10.3.5]
               Status_Code := Messages.S304;
            else
               --  File is not found on disk, returns now with 404
               Status_Code := Messages.S404;
            end if;

            Set_General_Header (Status_Code);

            Headers.Send_Header
              (Socket => Sock, Headers => H_List, End_Block => True);

            return;

S304 or S404 responses can be sent to the client without closing the connection, as Will_Close is not set to True in the case above.

AWS is then vulnerable to Denial of Service attacks as all the server tasks can be easily set aside.

Using Will_Close inside Set_General_Header without declaring it as a procedure in-parameter is error prone. Proposed patch fixes this issue by setting Will_Close to True is the case above, and adding Will_Close as an in-parameter to procedure Set_General_Header

            Will_Close := True;
            Set_General_Header (Status_Code, Will_Close);

Patch

aws-server-http_utils.adb.patch.txt

TurboGit commented 11 months ago

Thanks, sounds good.

TurboGit commented 1 week ago

@dsauvage : After reading again section "8.1 Persistent Connections" of RFC 2616 it seems that this is not correct. We don't have to close a connection in case of 304 or 404 error message. Can you please comment on the rational of this patch? TIA.

AdaCore / aws

Denial of Service vulnerability, connection kept unclosed after sending S304/S404 response #372