On Fri, Aug 26, 2011 at 10:27 AM, Jim Jagielski <j...@apache.org> wrote:
> > > > I guess we can do both: Count the ',' and give the number to > apr_array_make > > > > Doesn't that mean that someone can craft a nasty Range (e.g: 0-0,1-1,2-2, > 3-3,….99999999-99999999 and cause us to preallocate a bunch > of memory when at the end we'll get 0-99999999 ??? > > it won't fit in a header field of (default) legal length. the attack vector that killed us before the copy_brigade_range() patch keeps a single digit start specifier and nearly fills up a legal header when the the end specifier gets up to 1300. fwiw, I calculated that with the original code and a tiny bit more malicious attack vector, we would allocate 848,250 buckets per thread per request. Greg