[erlang-bugs] Erlang OTP's httpc module denial of service

Seba <>
Fri May 2 11:31:53 CEST 2014

Hi list!

 I've found a vulnerability in the httpc module. I'm sorry I can't provide
a patch (I can't code much erlang yet), I'm attaching a proof of concept

Let me know if you need further details.


Sebastián Tello


Using httpc to connect to an untrusted server can cause the system to run
out of memory and crash.


When requesting a URL from an untrusted source using the httpc OTP module,
if the server:
 - accepts the connection
 - does not read from the socket
 - and indefinitely writes bytes in the socket.

Then the client will keep on allocating memory until the system crashes.

Proof of concept

Server-side (attacker):

Start the malicious server (use the attached module).

1> httpc_dos:server(5678).

Client-side (httpc), connect to the server:

$ erl
Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10]
[hipe] [kernel-poll:false]

Eshell V6.0  (abort with ^G)
1> application:start(inets).
2> httpc:request("http://SERVER_IP:5678").

Crash dump was written to: erl_crash.dump
eheap_alloc: Cannot allocate 1167696400 bytes of memory (of type "heap").

Tested on
OTP 17
Ubuntu 12.04 x86_64


I haven't been able to reproduce the issue using lhttpc (
https://github.com/esl/lhttpc) as the call will crash when the response
size is too large.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20140502/26480310/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: httpc_dos.erl
Type: text/x-erlang
Size: 392 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20140502/26480310/attachment.bin>

More information about the erlang-bugs mailing list