Incompatibility - Content-length parsing

Hi, I noticed that parsing of HTTP header fields is not robust enough and not RFC compliant - and that way it casues incompatibility with Microsoft TMG proxy with NTLM authentication. The symptom is "Proxy-Authenticate: Invalid Content-Length" message while the header received is "Content-Length: 0 " <- note trailing spaces. The responsible piece of code is in protocol.c: if(tmpstr==line+16 || *tmpstr || content_length<0) { (tmpstr contains trailing spaces in this case). According to RFC 7230 trailing space is allowed and should be discarded by parser: A field value might be preceded and/or followed by optional whitespace (OWS); a single SP preceding the field-value is preferred for consistent readability by humans. The field value does not include any leading or trailing whitespace: OWS occurring before the first non-whitespace octet of the field value or after the last non-whitespace octet of the field value ought to be excluded by parsers when extracting the field value from a header field. best regards -- Marcin Gryszkalis, PGP 0xA5DBEEC7 jabber jid:mg@fork.pl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marcin, This should fix it: diff --git a/src/protocol.c b/src/protocol.c index 16b87e7..8eb8dee 100644 - --- a/src/protocol.c +++ b/src/protocol.c @@ -980,6 +980,9 @@ NOEXPORT void ntlm(CLI *c, SERVICE_OPTIONS *opt) { ntlm2_txt=str_dup(line+25); else if(is_prefix(line, "Content-Length: ")) { content_length=strtol(line+16, &tmpstr, 10); + if(tmpstr>line+16) /* found some digits */ + while(*tmpstr && isspace(*tmpstr)) + ++tmpstr; if(tmpstr==line+16 || *tmpstr || content_length<0) { s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); str_free(line); You may also try stunnel 5.18b1: https://www.stunnel.org/downloads.html Mike On 13.05.2015 13:38, Marcin Gryszkalis wrote:
Hi,
I noticed that parsing of HTTP header fields is not robust enough and not RFC compliant - and that way it casues incompatibility with Microsoft TMG proxy with NTLM authentication.
The symptom is "Proxy-Authenticate: Invalid Content-Length" message while the header received is "Content-Length: 0 " <- note trailing spaces.
The responsible piece of code is in protocol.c: if(tmpstr==line+16 || *tmpstr || content_length<0) {
(tmpstr contains trailing spaces in this case).
According to RFC 7230 trailing space is allowed and should be discarded by parser:
A field value might be preceded and/or followed by optional whitespace (OWS); a single SP preceding the field-value is preferred for consistent readability by humans. The field value does not include any leading or trailing whitespace: OWS occurring before the first non-whitespace octet of the field value or after the last non-whitespace octet of the field value ought to be excluded by parsers when extracting the field value from a header field.
best regards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVU2aCAAoJEC78f/DUFuAUuhEQAM5N1CsDH4d963HIaV4f7dYh uq63Sk7tvZOMNJVp6u4S5I6d6pVqX1tMWj171iEX+e7kvgoyL0tYAvIjigsiP7DA DwKn366bgdeDOyhZzBhWHkHgdMYKR6AqfysAAelR81hpR1v7wAelWMB8X5t8XwAQ jnrYlZb0rTCGCd3G/pCQuqoKQYNxZ9rzFweh0Vd8Dnm2qp4xQOhta2meJbPtcdHN 3s31Fs56UalKEI6iZWe5YtbStosz54nFWowblCI/ejL/RJU2WmrK9ujW9iuOJVht dXccjv1qRrST6JWnv72mTI0KyI2W4hOq3HFp16IW0qhpsJ7d04AgRCUdEjaWCc4w /jJSHhiPJ0wTMstxEW1dRpZzW11CERieyb/hw10mUtGTKVfsVhyuXEL1tOtQphJp Z3bUN8l/Yqb0RkV3YM9rIS5ksUT9Q0sNdNhXvuLqE7D8K46vgFCNn6xGjJcqxoop nXSA0a9pl2Oi5RUElQ/0AHJMTIe4qrPzjeQM2b941fOSf7e6xd9cxv4duqT499mn e5tFl5/EsJzbn4zQt2eRPQ0hpvzjRdWRnGWLHN3/hruL5FLxJPP3XWY6dldskI6V QwEPRc25F+RpOCfogAIad8X6q83f674ycieQdMWN5p2m6inPs6Mrt1JACkttJ4gy Xw/OdvYl2lkI8DDhO5FM =g2/0 -----END PGP SIGNATURE-----

On 2015-05-13 16:58, Michal Trojnara wrote:
This should fix it: diff --git a/src/protocol.c b/src/protocol.c
fix confirmed
You may also try stunnel 5.18b1:
5.18b2 won't build on freebsd because of different scheduler flags cron.c:82:46: error: use of undeclared identifier 'SCHED_BATCH' if(pthread_setschedparam(pthread_self(), SCHED_BATCH, ¶m)) http://www.freebsd.org/cgi/man.cgi?query=pthread_setschedparam&apropos=0&sek... best regards -- Marcin Gryszkalis, PGP 0xA5DBEEC7 jabber jid:mg@fork.pl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Marcin, On 25.05.2015 14:43, Marcin Gryszkalis wrote:
This should fix it: diff --git a/src/protocol.c b/src/protocol.c
fix confirmed
This is good news. Thank you for testing it.
5.18b2 won't build on freebsd because of different scheduler flags
cron.c:82:46: error: use of undeclared identifier 'SCHED_BATCH' if(pthread_setschedparam(pthread_self(), SCHED_BATCH, ¶m))
Indeed. SCHED_BATCH seems to be only supported on modern versions of Linux, which is not very portable. On AIX it is possible to set per-thread nice value with thread_setschedparam(): https://www-01.ibm.com/support/knowledgecenter/ssw_aix_71/com.ibm.aix.basetr... On Linux the same goal can be achieved with setpriority(2): http://manpages.ubuntu.com/manpages/trusty/man2/setpriority.2.html (BUGS section). I couldn't find a solution for FreeBSD... Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJVY48yAAoJEC78f/DUFuAUBMgQAMu84RyaujeeAv4eBmL7lmwt Bpk6Em+h6e0jmRxMB3eRCz7s+RcF8hvDsm8kKhqVdNFblVYca8uCnVRJgiaZSK2o iGWKYxU0RajcLxCX5B6bRNFD0yjTyyy8WdkAEi2JQt70rhc0uLlUhm25L79f+a1U cSpKE8q+sLK1IlJksdxLoTC2A+vvmIkMang3z4zufKKBDBqx3yYKocY6ikNzUS74 3bzPlUJsxacFiJALX4HQvezEX5ngbjvaa5VwxG45fLcj3WlANNsdcrZ2hThOdaaG J5X9V4bBe6GbjnCWL4om5/3KUM14MeOaeaVIY6cGc1QHraCHDAxTSJuHMKaIW20j k+p+d2MX5DEesvFv+FO8/QXqvd1LFSs8i00/cy9EOv5ti8+0zcEGAd8GGt5lnQZ1 AsBtQEh1iOEUIByaAwsy6XjhuAB1vtoc8pSLV42dU1S8RBk7u96dUwpUBn6qbYA7 o/7MaCZlC/XITqT9KKB7+TSrQ4qbBbNRMdiB9jVWtDGvmrLrLwjcYK9Rdn0jilFX 5G0sfKRfw2ZLBc9E3T7ynW3aC71Tgt3NTD3q5lKG8X0KvKJkTU4odZPUi4uDORQF l4UA+ApepsDp04TV4xyfmWwRk+MyX+N+gkSBS9oRG4m1REWkL5kch5Wne/0ZhCNI xHht2YWdTAKXvehhVNmc =/hSJ -----END PGP SIGNATURE-----
participants (2)
-
Marcin Gryszkalis
-
Michal Trojnara