Tinyproxy version

Tested on:

• tinyproxy 1.11.3

Issue

Title

Integer overflow in chunked transfer parser may lead to Denial of Service

Description

An issue was identified in the HTTP chunked transfer encoding parser (src/reqs.c) related to handling of large chunk size values.

Under certain conditions, extremely large chunk sizes may not be properly validated, leading to unexpected behavior in connection handling. This can result in worker connections being held for extended periods.

This behavior can be abused to exhaust available worker slots and prevent new connections from being accepted.

Impact

• Remote Denial of Service
• Connection exhaustion
• Service unavailability

Notes

• The issue appears to persist in 1.11.3
• Recent fixes for negative chunk sizes do not fully address this case
• Detailed reproduction steps can be shared privately if needed

Recommendation

• Validate chunk size parsing results (including overflow conditions)
• Apply strict upper bounds to chunk length