httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <ako...@leland.Stanford.EDU>
Subject Re: [finrod@EWOX.ORG: YA Apache DoS attack]
Date Fri, 07 Aug 1998 22:58:45 GMT
On Fri, 7 Aug 1998, Dan Jacobowitz wrote:

> I'm sure you've probably all seen this as soon as I did, but:
> 
> is this still an issue with 1.3?

I haven't tested it, but probably. (if it's in fact an issue at all). It
has to do with the pool stuff, and demonstrates why a pfree() might
be a good idea. IMO, this is probably what happens:

1. First "User-agent: sioux" comes in. Apache creates an entry in the
headers_in table for "User-agent", puts a copy of "sioux" in it.

2. Next "User-agent: sioux" comes in. Apache (in ap_table_mergen) creates
a new string containing the contents of the previous entry ("sioux"), a
comma, and the new entry ("sioux"). It keeps the old string around in
memory, doing nothing.

3. Repeat step 2. For 10,000 headers, we have 10,000 + 9,999 + 9,998 + ... 
+ 2 + 1 = 50,005,000 copies of the string in memory (which, for a
seven-byte string 'sioux, ', matches up with the 392 meg usage the report
indicates), even though the actual pointer linked from the "User-agent"
string only has 10,000 copies (70k)

Seems like a problem to me, although I find the guy's attitude annoying:
He can take the time to write up scripts, polish them with copyright
notices and things, do tests to figure out where the problem might be, but
can't spend two minutes typing things into a web page?

Still, we might want to publicize the security@apache.org email alias?

-- Alexei Kosut <akosut@stanford.edu> <http://www.stanford.edu/~akosut/>
   Stanford University, Class of 2001 * Apache <http://www.apache.org> *






Mime
View raw message