From: Rafael Sadowski Subject: relayd: reject duplicate Content-Length headers with 400 To: tech@openbsd.org Date: Fri, 10 Jul 2026 16:29:25 +0200 OK? commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa Author: Rafael Sadowski Date: Fri Jul 10 16:25:13 2026 +0200 relayd: reject duplicate Content-Length headers with 400 Only Host was marked unique, so a request with two Content-Length fields was framed on the last value but forwarded with both, allowing a backend to desync and smuggle a request past the filter rules. Mark Content-Length unique so the second occurrence is rejected in kv_add(). diff --git a/relay_http.c b/relay_http.c index 170c3ce..a4c965e 100644 --- a/relay_http.c +++ b/relay_http.c @@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg) goto abort; } - /* The "Host" header must only occur once. */ - unique = strcasecmp("Host", key) == 0; + /* The following headers must only occur once. */ + unique = strcasecmp("Host", key) == 0 || + strcasecmp("Content-Length", key) == 0; if ((hdr = kv_add(&desc->http_headers, key, value, unique)) == NULL) {