[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#534712: apache2.2-common: DOS possible with mod_deflate

Package: apache2.2-common
Version: 2.2.9-10+lenny3
Severity: normal
Tags: patch security

There is a bug in mod_deflate that can lead to a DOS with a very small
network traffic.

The problem is the following : when downloading a file with mod_deflate
enabled and aborting the connexion before the end, mod_deflate will take
100% of a CPU and finish to compress the file for nothing.

Even with a not-so-big file (a few dozen of MB), it is possible to
"lock" apache by opening simultaneous request on this file and abort the
connexion very soon, as the
file will be compressed multiple times in parallel, it will make
compression times grow and keep the threads busy for a while.

The problem arises because mod_deflate doesn't check if the connexion is
aborted and goes on whatever happen.

The following patch fixes the problem, but at reading the code, I guess
that the inflate function is also impacted.

Best regards,


--- mod_deflate.c	2008-01-04 15:23:50.000000000 +0100
+++ mod_deflate.c.new	2009-06-26 16:50:36.000000000 +0200
@@ -691,6 +691,10 @@

+	if (r->connection->aborted) {
+            return APR_ECONNABORTED;
+        }
         /* read */
         apr_bucket_read(e, &data, &len, APR_BLOCK_READ);

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env expires headers
  mime negotiation perl php5 python setenvif status userdir

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.30 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny3      utility programs for webservers
ii  libapr1             1.2.12-5             The Apache Portable Runtime
ii  libaprutil1         1.2.12+dfsg-8+lenny2 The Apache Portable Runtime
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination
library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2
init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' &
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:    compression library - runtime

Versions of packages apache2.2-common recommends:
ii  ssl-cert                      1.0.23     simple debconf wrapper for

Versions of packages apache2.2-common suggests:
ii  apache2-doc              2.2.9-10+lenny3 Apache HTTP Server
pn  apache2-suexec | apache2 <none>          (no description available)
ii  dillo [www-browser]      0.8.6-3         Small and fast web browser
ii  elinks [www-browser]     0.11.4-3        advanced text-mode WWW browser
ii  epiphany-gecko [www-brow 2.22.3-9        Intuitive GNOME web browser
- Geck
ii  iceape-browser [www-brow 1.1.14-1        Iceape Navigator (Internet
ii  iceweasel [www-browser]  3.0.6-1         lightweight web browser
based on M
ii  w3m [www-browser]        0.5.2-2+b1      WWW browsable pager with

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event        <none>          (no description available)
pn  apache2-mpm-itk          <none>          (no description available)
ii  apache2-mpm-prefork      2.2.9-10+lenny3 Apache HTTP Server -
traditional n
pn  apache2-mpm-worker       <none>          (no description available)

-- no debconf information

Reply to: