The following are the 2 mails with the different patches to fix the
resource consumption bug in Goahead webserver <= 2.1.8 I found in the
2002 but is still unpatched:

  http://aluigi.org/adv/goahead-adv1.txt

They must applied to webs.c but the lines specified are referred to
versions older than 2.1.8 so prepare to manually search the exact lines
in the file.
Don't ask me support about applying these patches because I don't use
this webserver and since it is no longer supported and has many bugs it
should not be used in production systems!


########################################################################
                                MAIL 1
########################################################################


From: "Dhanwa T" <dhanwa@polyserve.com>
Reply-To: "Dhanwa T" <dhanwa@polyserve.com>
Newsgroups: goahead.public.webserver
Subject: Re: Goahead webserver 2.1.4 DoS + memory eater (bug)
Date: Sat, 9 Nov 2002 12:37:36 -0800
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106

ok. so I had some time to look into this and I think I have a fix. Please
validate and let me know whether this works for you. But first try
reproducing the bug in the existing code with Luigi's client-side exploit
code before applying the patch (enclosed within <BUGFIX> tags below).
(approx: webs.c:websGetInput(...):587)

static int websGetInput(webs_t wp, char_t **ptext, int *pnbytes)
{
  char_t  *text;
  char  buf[WEBS_SOCKET_BUFSIZ+1];
  int   nbytes, len, clen;

  a_assert(websValid(wp));
  a_assert(ptext);
  a_assert(pnbytes);

  *ptext = text = NULL;
  *pnbytes = 0;

/*
 *  If this request is a POST with a content length, we know the number
 *  of bytes to read so we use socketRead().
 */
  if (wp->state == WEBS_POST_CLEN) {
    len = (wp->clen > WEBS_SOCKET_BUFSIZ) ? WEBS_SOCKET_BUFSIZ : wp->clen;
  } else {
    len = 0;
  }

  if (len > 0) {

#ifdef WEBS_SSL_SUPPORT
    if (wp->flags & WEBS_SECURE) {
      nbytes = websSSLRead(wp->wsp, buf, len);
    } else {
      nbytes = socketRead(wp->sid, buf, len);
    }
#else
    nbytes = socketRead(wp->sid, buf, len);
#endif
    if (nbytes < 0) {           /* Error */
      websDone(wp, 0);
      return -1;

    }  else if (nbytes == 0) {        /* EOF or No data available */
//<BUGFIX>
            /* bug# 1747 dhanwa: 11-09-02
             * If Mallory is trying a DoS attack by closing the socket
             * after fooling the webserver by specifying a large
CONTENT_LENGTH
             * in a POST request, we catch it and terminate the connection.
             * This is a side-effect of socketRead whose return value does
not
             * distinguish between EOF and no-data and we have to explicitly
use
             * the socketEof() to test for it.
             */
            int eof = socketEof(wp->sid);
            if (eof) {
              websDone(wp, 0);
            }
//<BUGFIX>
      return -1;

    } else {                /* Valid data */
/*
 *      Convert to UNICODE if necessary.  First be sure the string
 *      is NULL terminated.
 */
      buf[nbytes] = '\0';
      if ((text = ballocAscToUni(buf, nbytes)) == NULL) {
        websError(wp, 503, T("Insufficient memory"));
        return -1;
      }
    }

  } else {
#ifdef WEBS_SSL_SUPPORT
    if (wp->flags & WEBS_SECURE) {
........
...................
}



########################################################################
                                MAIL 2
########################################################################


From: "chenhaitao" <chenhait@uptech.com>
Reply-To: "chenhaitao" <chenhait@uptech.com>
Newsgroups: goahead.public.webserver
Subject: bug - GoAhead 2.1.6
Date: Thu, 11 Dec 2003 14:01:06 +0800
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158

Hi all, I'd like to report a couple of serious bugs found in GoAhead 2.1.6£¬
this bug like as that report by Hai Vu:

Here is some background:
Platform: VxWorks
Architecture: Power PC 8245

Bug: (a  attack attempts) will cause web server to go into infinite loop .

The attack was to send an POST command  that promisses more data
than being sent to the server. The bug:

File: webs.c
Function: websGetInput()


/*
 * If this request is a POST with a content length, we know the number
 * of bytes to read so we use socketRead().
 */
 if (wp->state == WEBS_POST_CLEN) {
  len = (wp->clen > WEBS_SOCKET_BUFSIZ) ? WEBS_SOCKET_BUFSIZ : wp->clen;
 } else {
  len = 0;
 }

 if (len > 0) {

#ifdef WEBS_SSL_SUPPORT
  if (wp->flags & WEBS_SECURE) {
   nbytes = websSSLRead(wp->wsp, buf, len);
  } else {
   nbytes = socketRead(wp->sid, buf, len);
  }
#else
  nbytes = socketRead(wp->sid, buf, len);
#endif
.
.
.

   if (wp->state == WEBS_HEADER) {
/*
 *    Valid empty line, now finished with header
 */
    websParseRequest(wp);
    if (wp->flags & WEBS_POST_REQUEST) {
     if (wp->flags & WEBS_CLEN) {
      wp->state = WEBS_POST_CLEN;
      clen = wp->clen;
     } else {
      wp->state = WEBS_POST;
      clen = 1;
     }
     if (clen > 0) {
/*
 *      Return 0 to get more data.
 */
      return 0;
     }
     return 1;
    }

File:sock.c
Function:socketRead()

 if (sp->flags & SOCKET_EOF) {
  return 0;
 }

if clen > real post data length,when socket read to SOCKET_EOF,clen >0 yet,
but then call socketRead(),returnval is 0,the clen can't reduce.


########################################################################