Denial of Service - endless loop in parsing Connection header
===============================================================

CVE-2012-5533 [1] was assigned to this bug.

 Description
-------------

Certain Connection header values will trigger an endless loop, for 
example:
"Connection: TE,,Keep-Alive"

Thanks to Jesse Sipprell from McClatchy Interactive, Inc. for reporting 
this issue.

 Detailed analysis
-------------------

On receiving such value, lighttpd will enter an endless loop, 
detecting an empty token but not incrementing the current string 
position, and keep reading the ',' again and again.

This bug was introduced [2] in 1.4.31, when we fixed an "invalid read" 
bug [3] (it would try to read the byte before the string if it started 
with ',', although the value wasn't actually used).

The patch includes a complete rewrite of the vulnerable function; the new 
function should work with all older releases as well - the interface didn't 
change.

 Affected versions
-------------------

Only 1.4.31; on the other hand versions before 1.4.31 include the "invalid read" bug.

 Patch
-------

See http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch

 Fixed in
----------

1.4.x: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2860
1.4.32: http://www.lighttpd.net/2012/11/21/1-4-32

 Solutions or Workaround
-------------------------

There is no workaround.

 References
------------

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5533
[2] http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830/diff/
[3] http://redmine.lighttpd.net/issues/2413

 GPG Signatures
----------------

* http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch.asc
* http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt.asc