Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: relayd: reject duplicate Content-Length headers with 400
To:
Rafael Sadowski <rafael@sizeofvoid.org>
Cc:
tech@openbsd.org
Date:
Fri, 10 Jul 2026 18:52:16 +0200

Download raw body.

Thread
On Fri, 10 Jul 2026 16:29:25 +0200,
Rafael Sadowski <rafael@sizeofvoid.org> wrote:
> 
> OK?
>

Make sense and reads OK kirill@

> commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa
> Author: Rafael Sadowski <rafael@sizeofvoid.org>
> Date:   Fri Jul 10 16:25:13 2026 +0200
> 
>     relayd: reject duplicate Content-Length headers with 400
>     
>     Only Host was marked unique, so a request with two Content-Length
>     fields was framed on the last value but forwarded with both, allowing
>     a backend to desync and smuggle a request past the filter rules. Mark
>     Content-Length unique so the second occurrence is rejected in kv_add().
> 
> diff --git a/relay_http.c b/relay_http.c
> index 170c3ce..a4c965e 100644
> --- a/relay_http.c
> +++ b/relay_http.c
> @@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg)
>  			goto abort;
>  		}
>  
> -		/* The "Host" header must only occur once. */
> -		unique = strcasecmp("Host", key) == 0;
> +		/* The following headers must only occur once. */
> +		unique = strcasecmp("Host", key) == 0 ||
> +		    strcasecmp("Content-Length", key) == 0;
>  
>  		if ((hdr = kv_add(&desc->http_headers, key,
>  		    value, unique)) == NULL) {
> 

-- 
wbr, Kirill