[pkg-uWSGI-devel] Bug#846362: uwsgi-core: flaw in readline implementation causing it to return excess data

Juho Heikkinen juho.heikkinen at f-secure.com
Wed Nov 30 16:15:21 UTC 2016 

Package: uwsgi-core
Version: 2.0.7-1

Dear Maintainer,

The language-independent readline implementation in uwsgi's 
core/reader.c appears to contain a flaw causing it to append extra bytes 
from the readline buffer to the final line returned, if the request body 
is not terminated by a newline. Reproducing this seems to require that 
the request body is at least 4KB in size.

The issue originally appeared in context of running a Python application 
with the uswgi Python plugin, but investigation led me to believe that 
it's in the uwsgi core itself. The issue is also present in upstream. 
The fix seems to be to replace near the end of 
uwsgi_request_body_readline():

  *rlen = wsgi_req->post_readline_size - wsgi_req->post_readline_pos;

with:

  *rlen = wsgi_req->post_readline_watermark - wsgi_req->post_readline_pos;


To reproduce:

  * Install uwsgi, uwsgi-plugin-python3, python3-werkzeug
  * Run the attached repro-app.py with: uwsgi_python34 --socket 
0.0.0.0:8080 --protocol=http -w repro-app
  * Generate a multiline request body >4KB with: ( for x in $(seq -w 
1000); do echo $x; done; echo -n "final" ) >data.txt
  * Send request to uwsgi: curl http://localhost:8080/ --data-binary 
@data.txt >data2.txt

Expected:

data.txt and data2.txt are identical

Actual:

data2.txt contains data in data.txt, followed by several lines of extra 
data from the readline buffer.

While this reproduction only causes extra data from the readline buffer 
to be returned, we have also seen cases where the returned extra bytes 
seem to be other unrelated data from the process heap. This has probably 
been caused by consume_body_for_readline() having realloced the buffer 
just before.


-- System Information:
Debian Release: 8.3
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages uwsgi-core depends on:
ii  libc6         2.19-18+deb8u6
ii  libcap2       1:2.24-8
ii  libjansson4   2.7-1+deb8u1
ii  libmatheval1  1.1.11+dfsg-2
ii  libpam0g      1.1.8-3.1+deb8u1
ii  libpcre3      2:8.35-3.3+deb8u2
ii  libssl1.0.0   1.0.1k-3+deb8u4
ii  libuuid1      2.25.2-6
ii  libxml2       2.9.1+dfsg1-5+deb8u3
ii  libyaml-0-2   0.1.6-3
ii  libzmq3       4.0.5+dfsg-2+deb8u1
ii  zlib1g        1:1.2.8.dfsg-2+b1

uwsgi-core recommends no packages.

Versions of packages uwsgi-core suggests:
ii  nginx-full         1.6.2-5+deb8u4
pn  uwsgi-extra        <none>
pn  uwsgi-plugins-all  <none>

-- no debconf information

-------------- next part --------------
A non-text attachment was scrubbed...
Name: repro-app.py
Type: text/x-python
Size: 356 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-uwsgi-devel/attachments/20161130/f50f31fe/attachment.py>

More information about the pkg-uWSGI-devel mailing list