Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Dev
Re: DoS with mod_deflate & range requests
 

Index | Next | Previous | View Flat


wrowe at rowe-clan

Aug 23, 2011, 12:32 PM


Views: 19507
Permalink
Re: DoS with mod_deflate & range requests [In reply to]

On 8/23/2011 1:49 PM, Stefan Fritsch wrote:
>
> From looking at the code, I think the problem is the bucket structs.
> With N the number of requested ranges, the initial brigade is
> partitioned into 2*N buckets at the maximum. Then those buckets are
> copied into the output brigade N times, which means that O(N^2)
> buckets are created. The data is not copied, and only N "A-B" strings
> are allocated from the pool. But the sum of those is limited by
> LimitRequestFieldSize, so it shouldn't be a problem.
>
> Maybe the byte-range filter should call ap_pass_brigade every 10
> ranges or so? Then the buckets should be freed earlier (at least if
> all filters down the chain behave correctly).

I suggest we should be parsing and reassembling the list before we
start the bucket logic. I'd also suggest the following...

This example from the spec...

- Several legal but not canonical specifications of the second 500
bytes (byte offsets 500-999, inclusive):
bytes=500-600,601-999
bytes=500-700,601-999

does not say the last is 200 bytes and 400 bytes, but is explicitly the
second 500 bytes.

I propose we satisfy range requests in the only sensible manner, returning
the ranges in sequence, using a linked list of buckets and combining all
ranges or another mechanism to work out the applicable ranges.

The range processing is limited to some 4000 parts (consisting entirely
of invalid -, segments), and as a practical matter much less than 2500.
Reassemble the list of ranges in sequence as a pre-parsing step, and we
can much more efficiently generate the response with no duplication.

The spec is ambiguous but nowhere suggested that duplicate ranges would
be legitimate.

Subject User Time
DoS with mod_deflate & range requests sf at sfritsch Aug 23, 2011, 4:08 AM
    RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 23, 2011, 5:11 AM
    Re: DoS with mod_deflate & range requests lazy404 at gmail Aug 23, 2011, 5:15 AM
    Re: DoS with mod_deflate & range requests lazy404 at gmail Aug 23, 2011, 6:56 AM
    Re: DoS with mod_deflate & range requests isoma at jellybaby Aug 23, 2011, 7:00 AM
    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 23, 2011, 11:18 AM
        Re: DoS with mod_deflate & range requests sf at sfritsch Aug 23, 2011, 11:49 AM
            Re: DoS with mod_deflate & range requests mohameddawaina at gmail Aug 23, 2011, 11:52 AM
            Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 23, 2011, 12:32 PM
                Re: DoS with mod_deflate & range requests ames.greg at gmail Aug 23, 2011, 2:00 PM
    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 23, 2011, 2:34 PM
        Re: DoS with mod_deflate & range requests sf at sfritsch Aug 23, 2011, 3:28 PM
            RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 24, 2011, 1:05 AM
        Re: DoS with mod_deflate & range requests fielding at gbiv Aug 23, 2011, 6:34 PM
            Re: DoS with mod_deflate & range requests sf at sfritsch Aug 23, 2011, 11:38 PM
            Re: DoS with mod_deflate & range requests isoma at jellybaby Aug 24, 2011, 8:35 AM
                Re: DoS with mod_deflate & range requests Dirk-Willem.van.Gulik at bbc Aug 24, 2011, 8:46 AM
                    RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 24, 2011, 8:55 AM
                Re: DoS with mod_deflate & range requests fielding at gbiv Aug 24, 2011, 1:56 PM
                    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 2:12 PM
                    Re: DoS with mod_deflate & range requests fielding at gbiv Aug 24, 2011, 2:54 PM
                        Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 4:39 PM
                            Re: DoS with mod_deflate & range requests fielding at gbiv Aug 24, 2011, 4:43 PM
                                Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 4:50 PM
                        Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 6:01 PM
                    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 5:59 PM
                        Re: DoS with mod_deflate & range requests sf at sfritsch Aug 24, 2011, 11:21 PM
                            RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 24, 2011, 11:56 PM
            Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 8:41 AM
    Re: DoS with mod_deflate & range requests h.reindl at thelounge Aug 23, 2011, 3:12 PM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 8:48 AM
        RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 24, 2011, 9:02 AM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 9:01 AM
        RE: DoS with mod_deflate & range requests ruediger.pluem at vodafone Aug 24, 2011, 9:05 AM
    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 9:22 AM
        Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 9:42 AM
            Re: DoS with mod_deflate & range requests ames.greg at gmail Aug 24, 2011, 12:10 PM
            Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 12:34 PM
                Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 1:12 PM
                    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 2:01 PM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 9:33 AM
        Re: DoS with mod_deflate & range requests sf at sfritsch Aug 24, 2011, 9:47 AM
            Re: DoS with mod_deflate & range requests isoma at jellybaby Aug 24, 2011, 11:43 AM
                Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 12:13 PM
                    Re: DoS with mod_deflate & range requests isoma at jellybaby Aug 24, 2011, 1:37 PM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 12:19 PM
        Re: DoS with mod_deflate & range requests ames.greg at gmail Aug 24, 2011, 1:39 PM
    Re: DoS with mod_deflate & range requests dirkx at webweaving Aug 24, 2011, 1:45 PM
    Re: DoS with mod_deflate & range requests fielding at gbiv Aug 24, 2011, 1:58 PM
    Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 2:00 PM
        Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 2:08 PM
    Re: DoS with mod_deflate & range requests sf at sfritsch Aug 24, 2011, 2:04 PM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 24, 2011, 2:06 PM
        Re: DoS with mod_deflate & range requests wrowe at rowe-clan Aug 24, 2011, 2:19 PM
        Re: DoS with mod_deflate & range requests ames.greg at gmail Aug 24, 2011, 2:32 PM
    Re: DoS with mod_deflate & range requests jim at jaguNET Aug 25, 2011, 4:41 AM

  Index | Next | Previous | View Flat
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.