httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject mod_deflate DoS
Date Sun, 28 Jun 2009 18:20:20 GMT
Hi,

we have received a bug report [1] that a DoS is possible with 
mod_deflate since it does not stop to compress large files even after 
the network connection has been closed. This allows to use large 
amounts of CPU if there is a largish (>10 MB) file available that has 
mod_deflate enabled.

An exploit is as easy as 

for a in $(seq 1 100) ; do
curl -H "Accept-Encoding: gzip" -is  http://url.to/large/file.txt | 
head -1  ; done

Fran├žois Guerraz, the bug submitter, also suggested a patch:

--- mod_deflate.c       2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new   2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@
             continue;
         }

+       if (r->connection->aborted) {
+            return APR_ECONNABORTED;
+        }
+
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);

This greatly reduces the problem. But even with it, quite a bit of 
data is compressed (maybe determined by APR_MMAP_LIMIT == 4MB?).

Cheers,
Stefan

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534712


Mime
View raw message