Index | Thread | Search

From:
Rafael Sadowski <rafael@sizeofvoid.org>
Subject:
relayd: reject duplicate Content-Length headers with 400
To:
tech@openbsd.org
Date:
Fri, 10 Jul 2026 16:29:25 +0200

Download raw body.

Thread
OK?

commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa
Author: Rafael Sadowski <rafael@sizeofvoid.org>
Date:   Fri Jul 10 16:25:13 2026 +0200

    relayd: reject duplicate Content-Length headers with 400
    
    Only Host was marked unique, so a request with two Content-Length
    fields was framed on the last value but forwarded with both, allowing
    a backend to desync and smuggle a request past the filter rules. Mark
    Content-Length unique so the second occurrence is rejected in kv_add().

diff --git a/relay_http.c b/relay_http.c
index 170c3ce..a4c965e 100644
--- a/relay_http.c
+++ b/relay_http.c
@@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg)
 			goto abort;
 		}
 
-		/* The "Host" header must only occur once. */
-		unique = strcasecmp("Host", key) == 0;
+		/* The following headers must only occur once. */
+		unique = strcasecmp("Host", key) == 0 ||
+		    strcasecmp("Content-Length", key) == 0;
 
 		if ((hdr = kv_add(&desc->http_headers, key,
 		    value, unique)) == NULL) {