Malicious requests for many overlapping byte ranges of large files risk OOM

[berthubert]

Thank you for cpp-httlib, it is enormously useful for me!
But, here's an issue: a malicious user could craft a Content-Range that causes cpp-httplib to buffer an arbitrary number of copies of a file that it serves. This leads to an easy OOM.

@wandernauta explained the whole issue here very well: berthubert/trifecta#49

Some kind of limit might be appropriate here, but I don't know what it should be.

[yhirose]

@berthubert thanks for the report. Could you show the smallest possible code that can reproduce this problem? I'll definitely take a look at it. Thanks a lot!

[yhirose]

@berthubert I fixed this issue based on '14.2. Range' in RFC 9110 'HTTP Semantics' to avoid potential denial-of-service attacks. (https://www.rfc-editor.org/rfc/rfc9110#section-14.2)

Could you please test with the latest httplib.h on the master branch in your project? If it works, I'll bump the version of httplib.h to 0.15.1 and release it right away.

Thanks for your help!

[berthubert]

I have tested the new httplib.h and now I get:
< HTTP/1.1 416 Range Not Satisfiable

With the previous httplib.h, and the same GET request I did not get a response to this any time soon, but my process was allocating dozens of GB of memory:
curl --verbose -r "$(perl -e 'print "0-," x 2500')0-" http://localhost:1234/i/IUNVDkG_4W4

So I can confirm the fix at least prevents OOM and DoS. Thank you for addressing this so thoroughly, including with new tests! Most appreciated.

[yhirose]

Thanks for the quick response! v0.15.1 is released. Thanks again for your fine contribution!