[erlang-bugs] Erlang OTP's httpc module denial of service

Ingela Anderton Andin Ingela.Anderton.Andin@REDACTED
Thu Jul 31 17:07:05 CEST 2014


Hi!

Thank you for your report. Sorry for the late answer, I have crated a 
issue to look into this.

Regards Ingela - Erlang/OTP team - Ericsson AB


On 05/02/2014 11:31 AM, Seba wrote:
> Hi list!
>
>   I've found a vulnerability in the httpc module. I'm sorry I can't
> provide a patch (I can't code much erlang yet), I'm attaching a proof of
> concept though.
>
> Let me know if you need further details.
>
> Regards,
>
> Sebastián Tello
>
>
> Summary
> =======
>
> Using httpc to connect to an untrusted server can cause the system to
> run out of memory and crash.
>
>
> Description
> ===========
>
> When requesting a URL from an untrusted source using the httpc OTP
> module, if the server:
>   - accepts the connection
>   - does not read from the socket
>   - and indefinitely writes bytes in the socket.
>
> Then the client will keep on allocating memory until the system crashes.
>
>
> Proof of concept
> ================
>
> Server-side (attacker):
>
> Start the malicious server (use the attached module).
>
> 1> httpc_dos:server(5678).
>
>
> Client-side (httpc), connect to the server:
>
> $ erl
> Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
> [hipe] [kernel-poll:false]
>
> Eshell V6.0  (abort with ^G)
> 1> application:start(inets).
> ok
> 2> httpc:request("http://SERVER_IP:5678").
>
> Crash dump was written to: erl_crash.dump
> eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").
>
> Tested on
> =========
> OTP 17
> Ubuntu 12.04 x86_64
>
> Workaround
> ==========
>
> I haven't been able to reproduce the issue using lhttpc
> (https://github.com/esl/lhttpc) as the call will crash when the response
> size is too large.
>
>
>
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@REDACTED
> http://erlang.org/mailman/listinfo/erlang-bugs
>




More information about the erlang-bugs mailing list