Headline

CVE-2022-34037: [panic]: slice OOB caused by illegal uri · Issue #4775 · caddyserver/caddy

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI.

2 years ago

CVE

Open in Source

#dos #git #acer

In my case, rewr.URI="/#?"

As for the precise log output, I made some modification on TestRewrite and get that:

  25   │ func TestRewrite1(t *testing.T) {
  26   │     repl := caddy.NewReplacer()
  27   │ 
  28   │     tc := struct {
  29   │         input, expect *http.Request
  30   │         rule          Rewrite
  31   │     }{
  32   │         rule:   Rewrite{URI: "/#?"},
  33   │         input:  newRequest(t, "GET", "/foo/bar?a=b"),
  34   │         expect: newRequest(t, "GET", "/foo?a=b#frag"),
  35   │     }
  36   │ 
  37   │     // copy the original input just enough so that we can
  38   │     // compare it after the rewrite to see if it changed
  39   │     originalInput := &http.Request{
  40   │         Method:     tc.input.Method,
  41   │         RequestURI: tc.input.RequestURI,
  42   │         URL:        &*tc.input.URL,
  43   │     }
  59   │     changed := tc.rule.rewrite(tc.input, repl, nil)
  60   │ 
  61   │     if expected, actual := !reqEqual(originalInput, tc.input), changed; expected != actual {
  62   │         t.Errorf("Expected changed=%t but was %t", expected, actual)
  63   │     }
  64   │     if expected, actual := tc.expect.Method, tc.input.Method; expected != actual {
  65   │         t.Errorf("Expected Method='%s' but got '%s'", expected, actual)
  66   │     }
  67   │     if expected, actual := tc.expect.RequestURI, tc.input.RequestURI; expected != actual {
  68   │         t.Errorf("Expected RequestURI='%s' but got '%s'", expected, actual)
  69   │     }
  70   │     if expected, actual := tc.expect.URL.String(), tc.input.URL.String(); expected != actual {
  71   │         t.Errorf("Expected URL='%s' but got '%s'", expected, actual)
  72   │     }
  73   │     if expected, actual := tc.expect.URL.RequestURI(), tc.input.URL.RequestURI(); expected != actual {
  74   │         t.Errorf("Expected URL.RequestURI()='%s' but got '%s'", expected, actual)
  75   │     }
  76   │     if expected, actual := tc.expect.URL.Fragment, tc.input.URL.Fragment; expected != actual {
  77   │         t.Errorf("Expected URL.Fragment='%s' but got '%s'", expected, actual)
  78   │     }
  79   │ 
  80   │     return
  81   │ }

And it crashed like?:

--- FAIL: TestRewrite1 (0.00s)
panic: runtime error: slice bounds out of range [3:1] [recovered]
        panic: runtime error: slice bounds out of range [3:1]

goroutine 25 [running]:
testing.tRunner.func1.2({0x12f70c0, 0xc0001e0a98})
        /home/zjx/.local/go/src/testing/testing.go:1211 +0x24e
testing.tRunner.func1()
        /home/zjx/.local/go/src/testing/testing.go:1214 +0x218
panic({0x12f70c0, 0xc0001e0a98})
        /home/zjx/.local/go/src/runtime/panic.go:1038 +0x215
github.com/caddyserver/caddy/v2/modules/caddyhttp/rewrite.Rewrite.rewrite({{0x0, 0x0}, {0x139e2a5, 0x3}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0, ...}, ...}, ...)
        /home/zjx/workspace/gowork/src/go-fdg-exmaples/caddy/modules/caddyhttp/rewrite/rewrite.go:161 +0xc65
github.com/caddyserver/caddy/v2/modules/caddyhttp/rewrite.TestRewrite1(0xc000471520)
        /home/zjx/workspace/gowork/src/go-fdg-exmaples/caddy/modules/caddyhttp/rewrite/tmp_test.go:59 +0x525
testing.tRunner(0xc000471520, 0x1410440)
        /home/zjx/.local/go/src/testing/testing.go:1261 +0x102
created by testing.(*T).Run
        /home/zjx/.local/go/src/testing/testing.go:1308 +0x35a
exit status 2

An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) on the client side via a crafted URI. According to the maintainer, the bug only affects the client side of the request and cannot cause a denial of service on the server.

2 years ago

ghsa

Open in Source

#dos #git