Return-Path: Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 71877 invoked by uid 500); 19 Nov 2001 06:10:39 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 71866 invoked from network); 19 Nov 2001 06:10:38 -0000 Date: Sun, 18 Nov 2001 22:07:32 -0800 From: Brian Pane Subject: Re: [PATCH 2] speedup for apr_table_t To: dev@httpd.apache.org Cc: dev@apr.apache.org Message-id: <3BF8A1A4.8020209@pacbell.net> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.5) Gecko/20011012 References: X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N dean gaudet wrote: > On Sat, 17 Nov 2001, Brian Pane wrote: > >> * A rewrite of apr_table_overlap() that uses a hash >> table (sort of) instead of qsort > > > i'm not sure this part of the patch is a good idea. the reason > apr_table_overlap() uses qsort is to prevent various O(n^2) DoS attacks > (both time & space). with your hash i think it's possible for attackers > to carefully construct headers such that they all hash the same, which > would result in an O(n^2) time attack. Good point--it's possible to construct an O(n^2) attack with this patch. The same is true of qsort, which is O(n^2) in the worst case, but it's admittedly a lot harder to construct the worst-case data set with qsort. The most straightforward solution that I can think of is to build a balanced tree, rather than a chained hash table, out of the "overlap_key" nodes. I'll post a revised patch once I get a tree implementation working. --Brian