You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Cott Lang <co...@internetstaff.com> on 1999/02/04 21:27:54 UTC
mod_jserv/3834: sessions will only expire at a rate of one per X
>Number: 3834
>Category: mod_jserv
>Synopsis: sessions will only expire at a rate of one per X
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: jserv
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Feb 4 12:30:01 PST 1999
>Last-Modified:
>Originator: cott@internetstaff.com
>Organization:
apache
>Release: 1.3.3 + 1.0b2
>Environment:
Solaris, JDK 1.2
>Description:
the housekeeping thread in JServServletManager.java breaks out of the
loop that searches for expired sessions as soon as it finds a single
expired session - which means that it will expire no more than 1 session
every time it runs - which to most people is the default of 1 minute.
This makes an easy denial of service attack against JServ - simply
throw a steady (but small!) amount of sessions at it, and eventually
you will EOutOfMemory
>How-To-Repeat:
Launch JMeter at a servlet and let it run for a long time.
>Fix:
remove the break statement from public void run() in JServServletManager.java.
I have tested the *crap* out of this fix. There appears to be NO issue with
removing sessions from the hashtable while stepping through an enumeration.
The fix is simple, stable, and effective.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]