httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohamed Dawaina <mohameddawa...@gmail.com>
Subject Re: DoS with mod_deflate & range requests
Date Tue, 23 Aug 2011 18:52:11 GMT
please tell me how to unsubscribe from this mailing list

On Tue, Aug 23, 2011 at 9:49 PM, Stefan Fritsch <sf@sfritsch.de> wrote:

> On Tuesday 23 August 2011, William A. Rowe Jr. wrote:
> > On 8/23/2011 6:08 AM, Stefan Fritsch wrote:
> > > http://seclists.org/fulldisclosure/2011/Aug/175
> > >
> > > I haven't looked into it so far. And I am not sure I will have
> > > time today.
> >
> > Until range can be completely addressed, avoiding excessive numbers
> > of ranges (tricky) or overlapping ranges (pretty
> > straightforward)... what about simply disabling deflate on range
> > requests?
>
> There is this PR:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49772
>
> "mod_deflate kicks itself out on Content-Range responses but not on
> multipart/byteranges"
>
> This may be one of the issues. But as RĂ¼diger pointed out, there is
> also an issue without mod_deflate.
>
> From looking at the code, I think the problem is the bucket structs.
> With N the number of requested ranges, the initial brigade is
> partitioned into 2*N buckets at the maximum. Then those buckets are
> copied into the output brigade N times, which means that O(N^2)
> buckets are created. The data is not copied, and only N "A-B" strings
> are allocated from the pool. But the sum of those is limited by
> LimitRequestFieldSize, so it shouldn't be a problem.
>
> Maybe the byte-range filter should call ap_pass_brigade every 10
> ranges or so? Then the buckets should be freed earlier (at least if
> all filters down the chain behave correctly).
>
>


-- 
Mohamed D. Sulaiman
Farmer's Commercial Bank
Banking Technology Unit
Cell: (+249) 923407600
Website: http://www.mohameddawaina.site40.net

Mime
View raw message