From 2eaf499375918fca4055c9463263ea48078370b0 Mon Sep 17 00:00:00 2001
From: Joel Sherrill <joel.sherrill@OARcorp.com>
Date: Wed, 8 Feb 2006 16:16:42 +0000
Subject: 2006-02-08	Thomas Rauscher  <trauscher@loytec.com>

	PR 890/networking
	* httpd/webs.c: The webservers enters an infinite loop when a POST
	request with less data than indicated in the Content-Length header is
	received. It also consumes additional heap memory and a file
	descriptor for each invalid POST.
---
 cpukit/ChangeLog    | 8 ++++++++
 cpukit/httpd/webs.c | 5 +++++
 2 files changed, 13 insertions(+)

(limited to 'cpukit')

diff --git a/cpukit/ChangeLog b/cpukit/ChangeLog
index 4ceacdd4c3..6b871c3776 100644
--- a/cpukit/ChangeLog
+++ b/cpukit/ChangeLog
@@ -1,3 +1,11 @@
+2006-02-08	Thomas Rauscher  <trauscher@loytec.com>
+
+	PR 890/networking
+	* httpd/webs.c: The webservers enters an infinite loop when a POST
+	request with less data than indicated in the Content-Length header is
+	received. It also consumes additional heap memory and a file
+	descriptor for each invalid POST.
+
 2006-02-01	Joel Sherrill <joel@OARcorp.com>
 
 	* posix/inline/rtems/posix/cond.inl, posix/macros/rtems/posix/cond.inl,
diff --git a/cpukit/httpd/webs.c b/cpukit/httpd/webs.c
index 9073fe8b7c..4465a72afe 100644
--- a/cpukit/httpd/webs.c
+++ b/cpukit/httpd/webs.c
@@ -583,6 +583,11 @@ static int websGetInput(webs_t wp, char_t **ptext, int *pnbytes)
 			return -1;
 
 		}  else if (nbytes == 0) {				/* EOF or No data available */
+	                /* Bugfix for POST DoS attack with invalid content length */
+                  	if (socketEof(wp->sid)) {
+                    		websDone(wp, 0);
+                  	}
+	                /* End of bugfix */
 			return -1;
 
 		} else {								/* Valid data */
-- 
cgit v1.2.3