[erlang-questions] bug in ssl?

Wed Jun 1 10:35:46 CEST 2011

Hi!

Will the following patch make the problem go away?

diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl
index f1c0073..ed57166 100644
--- a/lib/ssl/src/ssl_record.erl
+++ b/lib/ssl/src/ssl_record.erl
@@ -62,6 +62,8 @@

 -compile(inline).

+-define(INITIAL_BYTES, 5).
+
 %%====================================================================
 %% Internal application API
 %%====================================================================
@@ -368,8 +370,12 @@ get_tls_records_aux(<<1:1, Length0:15, _/binary>>,_Acc)
     ?ALERT_REC(?FATAL, ?RECORD_OVERFLOW);

 get_tls_records_aux(Data, Acc) ->
-    {lists:reverse(Acc), Data}.
-
+    case size(Data) =< ?MAX_CIPHER_TEXT_LENGTH + ?INITIAL_BYTES of
+       true ->
+           {lists:reverse(Acc), Data};
+       false ->
+           ?ALERT_REC(?FATAL, ?UNEXPECTED_MESSAGE)
+       end.
 %%--------------------------------------------------------------------
 -spec protocol_version(tls_atom_version() | tls_version()) ->
                              tls_version() | tls_atom_version().


Regards Ingela Erlang/OTP team - Ericsson AB


2011/6/1 vinod hg <vinodhg@REDACTED>:
> Hi,
>
>
>
> I am using mochiweb as a https web server for my application (Secured socket
> layer). I am new to security.
>
> One of the users reported that sending random data to the web server port
> makes beam.smp to consume 100% CPU indefinitely for a very long period.
>
>
>
> Step to reproduce
>
> 1.       Start a mochiweb https server (can use mochiweb web storage app
> example provided with no other options) on a specific port (ex: 8443 )
>
> 2.       Run the command “nc  [IP address]  8443 <  /dev/urandom”
>
> 3.       The server rejects the connection (you may get ssl record error
> sometimes). The command returns to the shell
>
> 4.       Repeat the above command for some time till the command doesn’t
> return back to shell.
>
> 5.       Observe beam.smp taking 100% CPU and also  memory getting increase.
> (It may reach system limit and crash)
>
> 6.       If you stop the command (nc ^C), it returns to normal
>
>
>
> Observations
>
> It is reproducible in both Linux and windows.
>
> It happens for other https web server (tried with musultin)
>
> It does not happen for http server (should be in lib ssl).
>
> Tried giving different SSL options like {verify, verify_peer} with empty
> certificate as valid, but did not help.
>
> For other web servers written in other language this is not the behavior.
> Example lighttpd (php) nc just returns back to shell everytime.
>
>
>
>
>
> I debugged the issue to find that in other cases where the nc commands
> return immediately to shell the ssl connection does not succeed (behaves
> normally).
>
> But for the case where nc does not return back, the call is in an infinite
> loop “next_tls_record in ssl_connection.erl” , thus making the CPU to take
> 100% and in memory increase.
>
>
>
> This can lead denial of service attack. Is this a bug and should I raise it
> in bug report forum.
>
>
>
> Any help will be appreciated.
>
> Thanks & Regards,
>
> Vinod
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>

