httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 21:34:29 GMT
On 8/23/2011 4:00 PM, Greg Ames wrote:
> 
> On Tue, Aug 23, 2011 at 3:32 PM, William A. Rowe Jr. wrote:
> 
>     I suggest we should be parsing and reassembling the list before we
>     start the bucket logic. 
> 
>     I propose we satisfy range requests in the only sensible manner, returning
>     the ranges in sequence,
> 
> yeah, overlapping ranges should be merged up front. That ought to completely fix the
issue.

So the only remaining question; are we free to reorder them into sequence?

Even in the most pedantic case, I believe that the total array shouldn't
ever exceed 1024, because in those cases a large number of the acceptable
expected ranges should be in the nnn-nnn, format, or 8 characters long,
out of our MAX_LINE_LENGTH of some 8190.  If we argue that asking for
single bytes is simply wrong, we should probably allocate some 16 ranges
and grow the list by a power of four, resulting in a max of some 4 allocs
and maximum memory consumption of less than 64k per request.


Mime
View raw message