httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Ames <ames.g...@gmail.com>
Subject Re: svn commit: r1161661 - /httpd/httpd/trunk/modules/http/byterange_filter.c
Date Fri, 26 Aug 2011 19:18:28 GMT
On Fri, Aug 26, 2011 at 10:27 AM, Jim Jagielski <jim@apache.org> wrote:

> >
> > I guess we can do both: Count the ',' and give the number to
> apr_array_make
> >
>
> Doesn't that mean that someone can craft a nasty Range (e.g: 0-0,1-1,2-2,
> 3-3,….99999999-99999999 and cause us to preallocate a bunch
> of memory when at the end we'll get 0-99999999 ???
>
>
it won't fit in a header field of (default) legal length.  the attack vector
that killed us before the copy_brigade_range() patch keeps a single digit
start specifier and nearly fills up a legal header when the the end
specifier gets up to 1300.

fwiw, I calculated that with the original code and a tiny bit more malicious
attack vector, we would allocate 848,250 buckets per thread per request.

Greg

Mime
View raw message