Open Bug 895834 Opened 11 years ago Updated 2 years ago

Operating system resource exhaustion (denial of service) when processing crafted gzip content

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
22 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: geoff.jones, Unassigned)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: DUPEME)

Attachments

(1 file)

Cyberis Whitepaper - Evil HTTP Compression.pdf
352.25 KB, application/pdf
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36

Steps to reproduce:

Compress 1TB of /dev/zero with four rounds of gzip compression (resulting file size 43k). 

Deliver compressed content to browser with 'Content-Encoding: gzip, gzip, gzip, gzip'

Testing framework available here - https://github.com/cyberisltd/GzipBloat



Actual results:

Operating system resources are exhausted, ultimately resulting in a crash of the browser.


Expected results:

Browser should display a suitable error message indicating it is not possible to decompress content. If decompression is attempted, multiple calls to the decompression routine should be made to prevent exhaustion of memory.
Other vendors mentioned in the paper also aware of the issue.
Whiteboard: DUPEME
Group: core-security
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: