httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 18:49:57 GMT
On Tuesday 23 August 2011, William A. Rowe Jr. wrote:
> On 8/23/2011 6:08 AM, Stefan Fritsch wrote:
> > http://seclists.org/fulldisclosure/2011/Aug/175
> > 
> > I haven't looked into it so far. And I am not sure I will have
> > time today.
> 
> Until range can be completely addressed, avoiding excessive numbers
> of ranges (tricky) or overlapping ranges (pretty
> straightforward)... what about simply disabling deflate on range
> requests?

There is this PR:

https://issues.apache.org/bugzilla/show_bug.cgi?id=49772

"mod_deflate kicks itself out on Content-Range responses but not on 
multipart/byteranges"

This may be one of the issues. But as RĂ¼diger pointed out, there is 
also an issue without mod_deflate.

From looking at the code, I think the problem is the bucket structs.  
With N the number of requested ranges, the initial brigade is 
partitioned into 2*N buckets at the maximum. Then those buckets are 
copied into the output brigade N times, which means that O(N^2) 
buckets are created. The data is not copied, and only N "A-B" strings 
are allocated from the pool. But the sum of those is limited by 
LimitRequestFieldSize, so it shouldn't be a problem.

Maybe the byte-range filter should call ap_pass_brigade every 10 
ranges or so? Then the buckets should be freed earlier (at least if 
all filters down the chain behave correctly).


Mime
View raw message