From: Kirill A. Korinsky Subject: Re: relayd: reject duplicate Content-Length headers with 400 To: Rafael Sadowski Cc: tech@openbsd.org Date: Fri, 10 Jul 2026 18:52:16 +0200 On Fri, 10 Jul 2026 16:29:25 +0200, Rafael Sadowski wrote: > > OK? > Make sense and reads OK kirill@ > commit 8db53823fb3943b49a6caf64a2e8dab88653b4aa > Author: Rafael Sadowski > Date: Fri Jul 10 16:25:13 2026 +0200 > > relayd: reject duplicate Content-Length headers with 400 > > Only Host was marked unique, so a request with two Content-Length > fields was framed on the last value but forwarded with both, allowing > a backend to desync and smuggle a request past the filter rules. Mark > Content-Length unique so the second occurrence is rejected in kv_add(). > > diff --git a/relay_http.c b/relay_http.c > index 170c3ce..a4c965e 100644 > --- a/relay_http.c > +++ b/relay_http.c > @@ -402,8 +402,9 @@ relay_read_http(struct bufferevent *bev, void *arg) > goto abort; > } > > - /* The "Host" header must only occur once. */ > - unique = strcasecmp("Host", key) == 0; > + /* The following headers must only occur once. */ > + unique = strcasecmp("Host", key) == 0 || > + strcasecmp("Content-Length", key) == 0; > > if ((hdr = kv_add(&desc->http_headers, key, > value, unique)) == NULL) { > -- wbr, Kirill