Brian Pane <[EMAIL PROTECTED]> writes:
> Thanks, it works much better with that change.
> One more question: do you have a way to get "before" and
> "after" profile data for a request with a ridiculously
> large number of header fields (e.g., 90 different Cookie
> or Accept lines that need to get merged)? A default httpd
> config will allow up to a 100-line header, which is a large
> enough 'n' to make me paranoid about O(n^2) DoS vulnerabilities.
I had to patch ab to allow it to take a large enough
set of headers.
% perl -wle '$xx="aa";$args.="-H Cook".++$xx.":foo=bar " for 1..48; \
exec qq{ab $args $args -n 50000 -c 50 http://127.0.0.1:8080/foo}'
% oprofile -rl /home/joe/apache2/bin/httpd | head
UNPATCHED:
vma samples % symbol name
00075fb4 9007 20.0071 __GI___strcasecmp
00009d3c 8553 18.9986 __pthread_internal_tsd_address
0000cf00 2294 5.09563 overlap_hash
0000d13c 1900 4.22044 apr_table_overlap
0808852c 1867 4.14714 ap_rgetline_core
000762d8 1254 2.78549 memcpy
000177d4 787 1.74815 apr_palloc
0808ddbc 551 1.22393 core_input_filter
00075b10 482 1.07066 __memchr
PATCHED:
vma samples % symbol name
00075fb4 35642 35.7866 __GI___strcasecmp
00009d3c 35549 35.6932 __pthread_internal_tsd_address
0000c41c 3134 3.14671 apr_table_compress
000762d8 1454 1.4599 memcpy
0808852c 1453 1.45889 ap_rgetline_core
0000c010 1450 1.45588 apr_array_pstrjoin
00017bb8 811 0.81429 apr_palloc
00006214 621 0.623519 apr_brigade_split_line
0808ddbc 578 0.580345 core_input_filter
So it looks like the worst case scenario is
worsened by a factor of 4.
--
Joe Schaefer
