mod_jserv/3834: sessions will only expire at a rate of one per X

[Cott Lang <co...@internetstaff.com>]

>Number:         3834
>Category:       mod_jserv
>Synopsis:       sessions will only expire at a rate of one per X
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    jserv
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Feb  4 12:30:01 PST 1999
>Last-Modified:
>Originator:     cott@internetstaff.com
>Organization:
apache
>Release:        1.3.3 + 1.0b2
>Environment:
Solaris, JDK 1.2
>Description:
the housekeeping thread in JServServletManager.java breaks out of the
loop that searches for expired sessions as soon as it finds a single
expired session - which means that it will expire no more than 1 session
every time it runs - which to most people is the default of 1 minute. 

This makes an easy denial of service attack against JServ - simply
throw a steady (but small!) amount of sessions at it, and eventually
you will EOutOfMemory
>How-To-Repeat:
Launch JMeter at a servlet and let it run for a long time.
>Fix:
remove the break statement from public void run() in JServServletManager.java.

I have tested the *crap* out of this fix. There appears to be NO issue with
removing sessions from the hashtable while stepping through an enumeration.
The fix is simple, stable, and effective.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]