Tinyproxy Integer Overflow Vulnerability in HTTP Chunked Transfer Encoding Parser Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Tinyproxy versions through 1.11.3. The issue arises from an integer overflow in the HTTP chunked transfer encoding parser, located in 'src/reqs.c'. This vulnerability allows an unauthenticated remote attacker to cause service disruption by sending crafted chunk sizes that bypass existing validation checks. The improper handling of large chunk sizes leads to signed integer overflows during size calculations, causing the proxy to read excessive amounts of request-body data. This behavior exhausts available worker connections, holding them open indefinitely and preventing new connections, thereby causing complete service unavailability.

Impact

Exploitation of this vulnerability leads to remote denial-of-service conditions, causing connection exhaustion and service unavailability.

Reproduction

To reproduce this vulnerability, send an HTTP request with a chunked transfer encoding that includes a chunk size crafted to trigger the integer overflow. The parser will incorrectly calculate the size, causing the proxy to read an excessive amount of data and hold the connection open. This can be done by manipulating the chunk size to approach the maximum value, bypassing the validation that checks for negative lengths.

Remediation

Users can upgrade to Tinyproxy version 1.11.4 or later, where this vulnerability has been addressed.