Return-Path: 
 <dev-return-72357-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id AEB2B7990
	for <apmail-httpd-dev-archive@www.apache.org>;
 Thu, 25 Aug 2011 12:17:29 +0000 (UTC)
Received: (qmail 82478 invoked by uid 500); 25 Aug 2011 12:17:28 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 82037 invoked by uid 500); 25 Aug 2011 12:17:22 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 81858 invoked by uid 99); 25 Aug 2011 12:17:21 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Aug 2011 12:17:21 +0000
X-ASF-Spam-Status: No, hits=-2.3 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: local policy)
Received: from [195.232.224.73] (HELO mailout04.vodafone.com) (195.232.224.73)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Aug 2011 12:17:12 +0000
Received: from mailint04 (localhost [127.0.0.1])
	by mailout04 (Postfix) with ESMTP id 3152D132570
	for <dev@httpd.apache.org>; Thu, 25 Aug 2011 14:16:52 +0200 (CEST)
Received: from avoexs04.internal.vodafone.com (avoexs04.dc-ratingen.de
 [145.230.4.198])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by mailint04 (Postfix) with ESMTPS id 24549132355
	for <dev@httpd.apache.org>; Thu, 25 Aug 2011 14:16:52 +0200 (CEST)
Received: from VF-MBX11.internal.vodafone.com ([145.230.5.20]) by
 avoexs04.internal.vodafone.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Thu, 25 Aug 2011 14:16:53 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Fixing Ranges
Date: Thu, 25 Aug 2011 14:16:50 +0200
Message-ID: 
 <E563FB5AB3F02844AC749BA39E494AB4052FC0FE@VF-MBX11.internal.vodafone.com>
In-Reply-To: <201108250138.49474.sf@sfritsch.de>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Fixing Ranges
Thread-Index: Acxitw4n2FAlxlGfTd20XwzdHH3lRQAaQkyw
References: <20110824220643.17819937@baldur>
 <201108242316.18134.sf@sfritsch.de>
 <CAHSOX_Bm+uJ6bZ4tATa_1kmHGZizA_5tcVMt=-WgY2ddi5WyXw@mail.gmail.com>
 <201108250138.49474.sf@sfritsch.de>
From: =?iso-8859-1?Q?=22Pl=FCm=2C_R=FCdiger=2C_VF-Group=22?=
 <ruediger.pluem@vodafone.com>
To: <dev@httpd.apache.org>
X-OriginalArrivalTime: 25 Aug 2011 12:16:53.0039 (UTC)
 FILETIME=[DFB81BF0:01CC6320]
X-Virus-Checked: Checked by ClamAV on apache.org

=20

> -----Original Message-----
> From: Stefan Fritsch =20
> Sent: Donnerstag, 25. August 2011 01:39
> To: dev@httpd.apache.org
> Subject: Re: Fixing Ranges
>=20
> On Thursday 25 August 2011, Greg Ames wrote:
> > On Wed, Aug 24, 2011 at 5:16 PM, Stefan Fritsch <sf@sfritsch.de>=20
> wrote:
> > > I have another idea: Instead of using apr_brigade_partition write
> > > a new function ap_brigade_copy_part that leaves the original
> > > brigade untouched. It would copy the necessary buckets to a new
> > > brigade and then split the first and last of those copied
> > > buckets as necessary and destroy the excess buckets. AFAICS,
> > > this would reduce the quadratic growth into linear. Do you think
> > > that would solve our problems?
> >=20
> > How does apr_brigade_partition contribute to quadratic growth?=20
> > Does the original brigade end up with a lot of one byte buckets?
>=20
> Yes, it splits the buckets in the original brigade, creating=20
> up to two=20
> new buckets for every range. These split one-byte buckets are then=20
> copied again for each of the subsequent ranges.
>=20
> The attached PoC patch does not change the original brigade and seems=20
> to fix the DoS for me. It needs some more work and some review for=20
> integer overflows, though. (apr_brigade_partition does some=20
> interesting things there).
>=20

I guess the following should be adjusted with this patch:

1. Do the same integer casting thing apr_brigade_partition does. So
   convert everything to apr_uint64_t and work with this.

2. Doing a read on a bucket can change its length. So we need to check
   afterwards if we still can split the bucket and if not might do a =
read
   on the next bucket until we are fine.

3. We should do the read bucket thing for the last bucket as well.

I think it would be best if you could commit this PoC patch as is (or =
with adjustments
according to the comments above) to trunk and we polish it up in trunk
until it is fine.

Regards

R=FCdiger