New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix range violation when writing to access log #1156

Merged
merged 1 commit into from Jun 26, 2015

Conversation

Projects
None yet
3 participants
@marcioapm
Contributor

marcioapm commented Jun 26, 2015

When the requested URL is > ~2000 bytes the server crashes and the process hangs forever using 100% CPU on Linux. Easily exploitable by malicious users.

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Jun 26, 2015

Member

Thanks. Does this happen for debug builds or just for release builds? I would have really hoped for at least a RangeError being thrown and the application exiting gracefully. Of course that still is a DoS vector.

Member

s-ludwig commented Jun 26, 2015

Thanks. Does this happen for debug builds or just for release builds? I would have really hoped for at least a RangeError being thrown and the application exiting gracefully. Of course that still is a DoS vector.

s-ludwig added a commit that referenced this pull request Jun 26, 2015

Merge pull request #1156 from marcioapm/req_size_dos
Fix range violation when writing to access log

@s-ludwig s-ludwig merged commit 37125b0 into vibe-d:master Jun 26, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@etcimon

This comment has been minimized.

Show comment
Hide comment
@etcimon

etcimon Jun 26, 2015

Contributor

AllocAppender?

Contributor

etcimon commented Jun 26, 2015

AllocAppender?

@etcimon

This comment has been minimized.

Show comment
Hide comment
@etcimon

etcimon Jun 26, 2015

Contributor

Of course that still is a DoS vector.

Biggest DoS vector is the unlimited json upload size. Unless I'm mistaken

Contributor

etcimon commented Jun 26, 2015

Of course that still is a DoS vector.

Biggest DoS vector is the unlimited json upload size. Unless I'm mistaken

@marcioapm

This comment has been minimized.

Show comment
Hide comment
@marcioapm

marcioapm Jun 26, 2015

Contributor

It does crash with a range error. I believe in release as well. The problem is that it then hangs there forever using 100% CPU. I think last time I checked it was stuck in _d_throw or something... It's been like this for a long time.

@etcimon Unlimited? Isn't maxRequestSize honored before trying to do anything with the request contents?

Contributor

marcioapm commented Jun 26, 2015

It does crash with a range error. I believe in release as well. The problem is that it then hangs there forever using 100% CPU. I think last time I checked it was stuck in _d_throw or something... It's been like this for a long time.

@etcimon Unlimited? Isn't maxRequestSize honored before trying to do anything with the request contents?

@etcimon

This comment has been minimized.

Show comment
Hide comment
@etcimon

etcimon Jun 26, 2015

Contributor

Unlimited? Isn't maxRequestSize honored before trying to do anything with the request contents?

Sure, but if you're a little creative you can send a 2mb json multiplied by unlimited connections, because while max request size is implemented, the request timeout isn't, and there's no single IP limitation.

Contributor

etcimon commented Jun 26, 2015

Unlimited? Isn't maxRequestSize honored before trying to do anything with the request contents?

Sure, but if you're a little creative you can send a 2mb json multiplied by unlimited connections, because while max request size is implemented, the request timeout isn't, and there's no single IP limitation.

@etcimon

This comment has been minimized.

Show comment
Hide comment
@etcimon

etcimon Jun 26, 2015

Contributor

I think last time I checked it was stuck in _d_throw or something... It's been like this for a long time.

invalid memory operation. I get infinite loops there too, only solution is to send a signal in druntime's onInvalidMemoryOperation, ie . asm { int 3; }

Contributor

etcimon commented Jun 26, 2015

I think last time I checked it was stuck in _d_throw or something... It's been like this for a long time.

invalid memory operation. I get infinite loops there too, only solution is to send a signal in druntime's onInvalidMemoryOperation, ie . asm { int 3; }

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Jun 26, 2015

Member

AllocAppender?

I think Appender is actually OK in this case, since it usually just allocates once at startup.

Member

s-ludwig commented Jun 26, 2015

AllocAppender?

I think Appender is actually OK in this case, since it usually just allocates once at startup.

@s-ludwig

This comment has been minimized.

Show comment
Hide comment
@s-ludwig

s-ludwig Jun 26, 2015

Member

BTW, has anyone seen an open bug report on issues.dlang.org for the exception issues? What I often get is an access violation when an exception is supposed to be caught, and of course the infinite loop here.

Member

s-ludwig commented Jun 26, 2015

BTW, has anyone seen an open bug report on issues.dlang.org for the exception issues? What I often get is an access violation when an exception is supposed to be caught, and of course the infinite loop here.

@marcioapm marcioapm deleted the marcioapm:req_size_dos branch Jun 26, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment