From f6d0645a3c63e65b6a2d03141072f55721fb8d30 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Mon, 5 Aug 2019 19:06:40 +0200 Subject: [PATCH] fix DoS vulnerability in the content SHA-256 processing (#8026) This commit fixes a DoS issue that is caused by an incorrect SHA-256 content verification during STS requests. Before that fix clients could write arbitrary many bytes to the server memory. This commit fixes this by limiting the request body size. --- cmd/signature-v4-utils.go | 3 ++- cmd/sts-handlers.go | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cmd/signature-v4-utils.go b/cmd/signature-v4-utils.go index 01b12dff2..d0e58ed03 100644 --- a/cmd/signature-v4-utils.go +++ b/cmd/signature-v4-utils.go @@ -21,6 +21,7 @@ import ( "context" "crypto/hmac" "encoding/hex" + "io" "io/ioutil" "net/http" "strconv" @@ -61,7 +62,7 @@ func skipContentSha256Cksum(r *http.Request) bool { // Returns SHA256 for calculating canonical-request. func getContentSha256Cksum(r *http.Request, stype serviceType) string { if stype == serviceSTS { - payload, err := ioutil.ReadAll(r.Body) + payload, err := ioutil.ReadAll(io.LimitReader(r.Body, stsRequestBodyLimit)) if err != nil { logger.CriticalIf(context.Background(), err) } diff --git a/cmd/sts-handlers.go b/cmd/sts-handlers.go index ad997e46b..2a7fc5261 100644 --- a/cmd/sts-handlers.go +++ b/cmd/sts-handlers.go @@ -40,6 +40,8 @@ const ( clientGrants = "AssumeRoleWithClientGrants" webIdentity = "AssumeRoleWithWebIdentity" assumeRole = "AssumeRole" + + stsRequestBodyLimit = 10 * (1 << 20) // 10 MiB ) // stsAPIHandlers implements and provides http handlers for AWS STS API.