You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/08/06 10:39:52 UTC

Re: Perl regex crash on large HTML table under SPAMD - SOLVED 

Dominic Germain writes:
> replacing "*" by "{0,30}" fixed my problem! The regex works for small  
> tables without crashing spamd childs.

Good to hear it.

> IMO, upgrading to Perl 5.10 on OSX is not recommended... Apple is  
> tweeking a lot of stuff and there is always chances that a future OSX  
> update will screw up everything.

Yes -- in general, it can be hard work to do that, and there
are still the occasional report of bugs in 5.10; if you can avoid it
for a few more months, do ;)

--j.

> many thanks!
> 
> 
> Dominic Germain
> ---------------------------------------------
> Administrateur r�seau / Network administrator
> Sogetel
> www.sogetel.net
> 
> mailinglists@sogetel.com
> 
> 
> 
> Le 08-08-05 � 15:23, Justin Mason a �crit :
> 
> >
> > Dominic Germain writes:
> >> Hi,
> >>
> >> I'm running the following rules in my local rules for a while and it
> >> works flawlessly under RedHat EL 3 (Perl 5.8.0):
> >>
> >> rawbody	TABLEOBFU /
> >> <td([^>]|"[^"]*"|'[^']*')*>(<([^>]|"[^"]*"|'[^']*')*>)*[a-z]{1,2}
> >> (<([^>]|"[^"]*"|'[^']*')*>)*<\/td([^>]|"[^"]*"|'[^']*')*>/i
> >>
> >> Recently, we move to Apple Mac OS X 10.5 server with Perl 5.8.8.  We
> >> start getting SIGCHLD error and 0/0 scores.  I've found that  
> >> TABLEOBFU
> >> rule crash if there is a large table (~32k) inside the mail...  I was
> >> able to reproduce it under Redhat EL 5 also (Perl 5.8.8) but HTML  
> >> must
> >> be 2 times larger (~64k).
> >>
> >> I also try with the following rule I got from the mailing list.  Same
> >> problem.
> >>
> >> rawbody TABLEOBFU /
> >> <td([^>]|"[^"]*"|'[^']*')*>(<([^>]|"[^"]*"|'[^']*')*>)*[a-z]{1,2}
> >> (<([^>]|"[^"]*"|'[^']*')*>)*<\/td([^>]|"[^"]*"|'[^']*')*>/i
> >>
> >> It seems to be something related to allocated memory for the spamd
> >> script...
> >>
> >> Anything known about that issue?  Is is possible to "skip" a test
> >> according to mail size?
> >
> > The best fix would be to rewrite those rules not to use /*/, to use
> > /{0,n}/ instead, and to use /(?...)/ instead of /(...)/ .   You  
> > could also
> > upgrade to perl 5.10, which may have this bug fixed iirc; however you
> > would still be vulnerable to another side-effect of that kind of  
> > regexp,
> > which is exponential runtime. unlimited quantifiers like + and * are  
> > very
> > bad news in SA rules.
> >
> > --j.