Bug #3776: Timeout in libhtp due to multiple responses with double lzma encoding - Suricata - Open Information Security Foundation

Actions

Bug #3776

closed

Timeout in libhtp due to multiple responses with double lzma encoding

Added by Philippe Antoine over 4 years ago. Updated about 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23285

24k responses for 465 kilobytes, making sure each response is under the thresholds for compression bombs

Related issues 1 (0 open — 1 closed)

Actions

#1

Updated by Philippe Antoine over 4 years ago

Private changed from No to Yes

Actions

#2

Updated by Philippe Antoine over 4 years ago

Status changed from New to In Review

Gitlab PR

Actions

#3

Updated by Philippe Antoine over 4 years ago

Related to Task #3824: libhtp 0.5.34 added

Actions

#4

Updated by Philippe Antoine about 4 years ago

Target version set to 6.0.0rc1

Actions

#5

Updated by Philippe Antoine about 4 years ago

Private changed from Yes to No

This issue involves an evil client and an evil server which repeat the same pattern, expensive in terms of CPU
The evil server sends a HTTP response with two layers of lzma compression

Workaround is to set lzma-enabled: false in suricata.yaml (lzma-enabled is commented by default)
Another workaround is to set response-body-decompress-layer-limit: 1 in suricata.yaml (default value is 2)

Actions

#6

Updated by Philippe Antoine about 4 years ago

Status changed from In Review to Closed

https://github.com/OISF/libhtp/pull/305 and https://github.com/OISF/suricata/pull/5393

Actions

Also available in: Atom PDF