Skip to content

Fix integer underflow in try_range_response for empty files#3566

Merged
jplatte merged 2 commits into
mainfrom
underflow-try-range-response
Nov 22, 2025
Merged

Fix integer underflow in try_range_response for empty files#3566
jplatte merged 2 commits into
mainfrom
underflow-try-range-response

Conversation

@Darksonn
Copy link
Copy Markdown
Member

@Darksonn Darksonn commented Nov 19, 2025

Thanks to @mufeedvh for reporting this bug.

martin-g
martin-g reviewed Nov 19, 2025
View reviewed changes
Comment thread Range request DoS via integer underflow in try_range_response - axum.pdf Outdated
@Darksonn Darksonn force-pushed the underflow-try-range-response branch from 430699d to d5b43a3 Compare November 19, 2025 18:27
@seanmonstar
Copy link
Copy Markdown
Member

seanmonstar commented Nov 19, 2025

Just to add a note from spec:

For a GET request, a valid bytes range-spec is satisfiable if it is either:

  • an int-range with a first-pos that is less than the current length of the selected representation

So, with a file of 0 bytes, the first-pos of 0 is not less than the length, and thus is now rejected.

@yanns
Copy link
Copy Markdown
Collaborator

yanns commented Nov 19, 2025

From CI:

error: the borrowed expression implements the required traits
   --> axum-extra/src/response/file_stream.rs:615:34
    |
615 |         std::fs::write(filename, &[]).unwrap();
    |                                  ^^^ help: change this to: `[]`

@Darksonn Darksonn force-pushed the underflow-try-range-response branch from d5b43a3 to 4d568ab Compare November 19, 2025 21:30
@Darksonn
Copy link
Copy Markdown
Member Author

Darksonn commented Nov 19, 2025

Fixed thanks.

jplatte
jplatte reviewed Nov 20, 2025
View reviewed changes
Comment thread axum-extra/src/response/file_stream.rs Outdated
@Darksonn Darksonn force-pushed the underflow-try-range-response branch from f86bcea to 24c5b86 Compare November 21, 2025 15:36
darth-raijin
darth-raijin reviewed Nov 22, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@darth-raijin darth-raijin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small question, feel free to ignore it was meant as food for thought

Comment thread axum-extra/src/response/file_stream.rs
let total_size = metadata.len();

if total_size == 0 {
return Ok((StatusCode::RANGE_NOT_SATISFIABLE, "Range Not Satisfiable").into_response());
Copy link
Copy Markdown
Contributor

@darth-raijin darth-raijin Nov 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question:
I noticed that the error body "Range Not Satisfiable" is hard-coded directly into the response. Would it make sense to extract this into a shared constant so tests can assert on the exact same value?

Having the literal inline makes tests fragile, since they need to duplicate the exact string. If the message ever changes, that could also unintentionally break consumers relying on the current wording or cause test drift.

In particular, there are two branches in this PR that both return StatusCode::RANGE_NOT_SATISFIABLE. It might be useful if the test also asserted on the error body, to ensure the StatusCode::RANGE_NOT_SATISFIABLE comes from the branch in file_stream.rs with the expected response body, and not the test branch.

@jplatte jplatte merged commit 601d775 into main Nov 22, 2025
18 checks passed
@jplatte jplatte deleted the underflow-try-range-response branch November 22, 2025 19:09
jplatte pushed a commit that referenced this pull request Dec 20, 2025
@Darksonn @jplatte
Fix integer underflow in try_range_response for empty files (#3566)
816407a
@jplatte jplatte mentioned this pull request Dec 20, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martin-g martin-g martin-g left review comments

@seanmonstar seanmonstar seanmonstar approved these changes

@yanns yanns yanns approved these changes

+2 more reviewers

@darth-raijin darth-raijin darth-raijin left review comments

@jplatte jplatte jplatte approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Darksonn @seanmonstar @yanns @martin-g @jplatte @darth-raijin