[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Apache bug, eats memory...

From: Jan-Philip Velders <jpv jvelders tn tudelft nl>
To: linux-security redhat com
Subject: Apache bug, eats memory...
Date: Sat, 8 Aug 1998 09:28:01 +0200 (CEST)

Hi,

the following pieces of mail came by on BugTraq.
It appears that Apache (1.2.5 and 1.2.6 tested, 1.3 is vulnerable according
to Ben Laurie [Apache member]) doesn't handle the case, when there are
a lot (say 10000) of "User-Agent:"-headers. (other headers could also
work!).

An exploit with source-code was posted on BugTraq.

excerpts from the mail by <finrod EWOX ORG>:
| There seems to be a simple way of badly DoSing any Apache server. It
| involved a massive memory leak in the way it handles incoming request
| headers. I based my exploit on the assumption that they use setenv()
| (which they don't) and that the bug occurs when you send a header that
| will end up as an environment variable if you request a CGI script
| (such as User-Agent), but I have since verified that there is no
| connection there. Anyway, you can blow Apache through the roof by
| sending it tons of headers - the server's memory consumption seems to
| be a steep polynomial of the amount of data you send it. Below is a
| snapshot of top(1) about one minute after I sent my server a request
| with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016 bytes
| of data)
|---cut---
| last pid: 29187;  load averages:  1.82,  1.06,  0.68 18:21:36
| 82 processes:  2 running, 80 sleeping
| CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle
| Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
| Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
| PID USERNAME PRI NICE  SIZE    RES STATE    TIME   WCPU    CPU COMMAND
| 29176 www      -18   0   392M 85612K swread   0:57  6.83%  6.83% httpd
|---cut---

Ben Laurie (team Apache) <ben ALGROUP CO UK> responded swift:
| And here's a band-aid for 1.3.1 - I'm sure we'll come up with something
| better soon. This (untested) patch should prevent the worst effects. A
| similar patch should work for 1.2.x.

He posted this band-aid:

Index: http_protocol.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c     1998/08/06 17:30:30     1.229
+++ http_protocol.c     1998/08/07 23:02:56
@@ -714,6 +714,7 @@
     int len;
     char *value;
     char field[MAX_STRING_LEN];
+    int nheaders=0;

     /*
      * Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
         char *copy = ap_palloc(r->pool, len + 1);
         memcpy(copy, field, len + 1);

+        if(++nheaders == 100) {
+           r->status = HTTP_BAD_REQUEST;
+           return;
+       }
+
         if (!(value = strchr(copy, ':'))) {     /* Find the colon separator */
             r->status = HTTP_BAD_REQUEST;       /* or abort the bad request */
             return;

I think this is worth patching ;-)
No reports so far about people using the is the "wild"...

Greetings,
Jan-Philip Velders

<jpv jvelders tn tudelft nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]