[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: LuaSocket: No way to protect against fuzzing attacks?
- From: Sam Roberts <vieuxtech@...>
- Date: Tue, 11 Oct 2011 12:36:38 -0700
On Tue, Oct 11, 2011 at 12:37 AM, HyperHacker <firstname.lastname@example.org> wrote:
> To properly defend against this attack, the server needs to be able to either:
> 2) Read all data received in the next x seconds or the next n bytes,
> whichever comes first. (Bonus if "or until the next line break" is
> also an option.) The server can then buffer lines in the same manner
> as option 1.
If you :settimeout(t>0), then call receive(n/"*l"), and the timeout
occurs before n bytes/a line
has been read, you should get
nil, "timeout", partial
as the result.
> Unfortunately, LuaSocket doesn't seem to offer methods to do either of
> these, thus leaving every server using it vulnerable to such attacks.
I think luasocket provides the required functionality, though you
might not be able to take advantage
of some of its high-level buffering.
If you can reliably reproduce it not behaving as documented or
describe why it is impossible to use, I might have time to fix it (I'm
collecting patches at https://github.com/sam-github/luasocket).
luasocket's buffering is convenient, but not necessarily what you want
for a server. And a multiplexing
server will need to set the timeouts to 0 on all sockets, and to use select().
If you do that, you will need to buffer the data yourself, and
evaluate your conditions for determining when a peer is misbehaving.
You'll have to track time associated with each connection, and buffer
the data for each connection yourself.
Apache, as I recall, has a short timeout in which it requires seeing
some data, then a longer one to recv the complete head of the request.
Your buffering scheme can use the prefix argument to :receive(), if it
wishes, or use a table as a queue of segments, and concat them with
You might find the code below useful to explore some of these
behaviours, though it doesn't multiplex using select. As a start, try
calling it like:
./read-safely 4567 "*l" 4
with a client:
(sleep 10; echo -n helo; sleep 10; echo bye; sleep 10) | nc localhost 4567
------ read-safely -----
if arg == "-h" then
print("usage: "..arg.." port pattern timeout")
port = tonumber(arg) or 0
pattern = arg or 1024
timeout = arg or 10
print("port", port, "pattern", pattern, "timeout", timeout)
serv = assert(socket.tcp())
sock = assert(serv:accept())
while true do
mesg, emsg, part = sock:receive(pattern)
if emsg then print("error", emsg) end
assert(mesg or emsg == "timeout", emsg)
if mesg then
print("recv mesg", #mesg, "<"..mesg..">")
elseif #part > 0 then
print("recv part", #part, "<"..part..">")