You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1998/01/15 12:12:36 UTC
[PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
On Wed, Jan 14, 1998 at 02:50:01PM -0600, Igor Tatarinov wrote:
> But why not do this checking in mod_auth ?
> or pcfg_openfile might be the right function to fix.
I think that's a sensible idea. The number of pcfg_openfile() calls is
limited to reading the config files, the htpasswd files, the .htaccess
files, in short all those files where it is not acceptable to read
from devices (or directories ;-).
Why not add another fstat() and check for S_IFREG()? The appended patch
does that (and fixes some more bugs in pcfg_openfile():
* the debug message was at the wrong place and would print an arbitraty
setting of errno
* filename==NULL was only checked in the debug message, but not in the
corresponding fopen()
)
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Marc Slemko <ma...@worldgate.com>.
On Thu, 15 Jan 1998, Martin Kraemer wrote:
> On Thu, Jan 15, 1998 at 02:06:31PM -0700, Marc Slemko wrote:
> >
> > No, read the first bit. You trash the request if you don't reach end of
> > line before end of the 8k buffer you read from.
>
> But suppose you read from /dev/tape, and the first n kilobytes
> indeed look sensible? Say, the tape is filled with 2GB worth of
> newlines?
>
> I would prefer to check the device first.
But if they create a sparse file then they can do this anyway even if you
do check the device.
I'm not entirely convinced that checking if it is a device avoids all the
problems either. Say you have a system with any large file on; poof, you
can still use it. I really have trouble thinking of large world readable
devices that return text.
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Thu, Jan 15, 1998 at 02:06:31PM -0700, Marc Slemko wrote:
>
> No, read the first bit. You trash the request if you don't reach end of
> line before end of the 8k buffer you read from.
But suppose you read from /dev/tape, and the first n kilobytes
indeed look sensible? Say, the tape is filled with 2GB worth of
newlines?
I would prefer to check the device first.
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Marc Slemko <ma...@worldgate.com>.
On Thu, 15 Jan 1998, Martin Kraemer wrote:
> On Thu, Jan 15, 1998 at 01:43:42PM -0700, Marc Slemko wrote:
> > This does not completely prevent the attempt at reading the file from
> > blocking (only in at least 99% of the cases; although 1% can be bad...)
> > but does make it a lot more difficult for it to block and prevents endless
> > reads.
> I think that blocking is not the only result of this kind of DoS attack:
> even when the server continues to read (/dev/zero), it will NEVER reach
> EOF. So huge amounts of CPU power can be bound by a few evil processes.
No, read the first bit. You trash the request if you don't reach end of
line before end of the 8k buffer you read from.
>
> > Heck, lets think up some cool attacks on systems that use automounters or
> > AFS.
>
> What a cruel idea...! Oh, yes, that could take some time...
>
> Martin
> --
> | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
>
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Thu, Jan 15, 1998 at 01:43:42PM -0700, Marc Slemko wrote:
> This does not completely prevent the attempt at reading the file from
> blocking (only in at least 99% of the cases; although 1% can be bad...)
> but does make it a lot more difficult for it to block and prevents endless
> reads.
I think that blocking is not the only result of this kind of DoS attack:
even when the server continues to read (/dev/zero), it will NEVER reach
EOF. So huge amounts of CPU power can be bound by a few evil processes.
> Heck, lets think up some cool attacks on systems that use automounters or
> AFS.
What a cruel idea...! Oh, yes, that could take some time...
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Martin Kraemer <Ma...@mch.sni.de>.
On Thu, Jan 15, 1998 at 12:12:36PM +0100, Martin Kraemer wrote:
> + if (name == NULL) {
> + aplog_error(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, NULL,
> + "Internal error: pcfg_openfile() called with NULL filename");
> + /*assert(name != NULL);*/
Forget my patch. I just realized that someone mis-used the pcfg_openfile()
interface (instead of using the pcfg_open_custom() which was implemented
to deal with non-file based "custom" interfaces) to read the -c/-C
configure lines.
That's not good! And it leaves (as implemented) an uninitialized FILE*file
pointer in the returned configfile_t structure -- which isn't good either!
So do NOT use the patch - instead wait until I had a look at it and
maybe changed the memory-based cfg reading to use pcfg_open_custom(),
or at least *DOCUMENT* the inappropriate interface mis-use and
*INITIALIZE* a pointer if it is used further on.
Martin
--
| S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
| ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
| N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Posted by Marc Slemko <ma...@worldgate.com>.
On Thu, 15 Jan 1998, Martin Kraemer wrote:
> On Wed, Jan 14, 1998 at 02:50:01PM -0600, Igor Tatarinov wrote:
> > But why not do this checking in mod_auth ?
> > or pcfg_openfile might be the right function to fix.
>
> I think that's a sensible idea. The number of pcfg_openfile() calls is
> limited to reading the config files, the htpasswd files, the .htaccess
> files, in short all those files where it is not acceptable to read
> from devices (or directories ;-).
How about opening with O_NDELAY and changing the routine to detect if we
hit the end of the 8k buffer before the end of the line and, if so,
returning an error? This is something that really should be done
regardless to report a proper error.
This does not completely prevent the attempt at reading the file from
blocking (only in at least 99% of the cases; although 1% can be bad...)
but does make it a lot more difficult for it to block and prevents endless
reads.
Heck, lets think up some cool attacks on systems that use automounters or
AFS. Lots of room for making things block there, and the above doesn't
fix that. Hmm. If O_NDELAY stopped such network file read from blocking,
it would be no good. If it didn't, it wouldn't prevent the above anyway.