Assertions considered bad!? (was: Re: [apache-ssl] Invalid method in request)

Fri, 30 Oct 1998 15:46:10 -0500 


In article <[EMAIL PROTECTED]> you wrote:

>[...a interesting discussion on the apache-ssl list with
>    Ben Laurie whether assertions in server code are reasonable or not...]
>
> The discussion is pointless unless you can indicate a way in which it
> makes Apache-SSL function incorrectly.

How about this scenario:

| rse@en1:/e/apache/RELEASES/apache_1.3.3/src/modules/ssl
| :> ./gcache rse 12346 & 
| [Fri Oct 30 22:28:26 1998] ./gcache started
| [1] 29497
| rse@en1:/e/apache/RELEASES/apache_1.3.3/src/modules/ssl
| :> echo "hello" | socket localhost 12346 
| request was 104
| assertion "!"Unknown request"" failed: file "gcache.c", line 166
| [1]+  Abort trap              (core dumped) ./gcache rse 12346
| rse@en1:/e/apache/RELEASES/apache_1.3.3/src/modules/ssl
| :>

So on a typical system an attacker who gained access to _any_ account (not
necessarily the UID of the httpd or the gcache process) can simply dropping
down gcache and this way all httpds by just sending garbage to the gcache
port. 

And although you don't want to hear this: With mod_ssl's ssl_gcache program
this doesn't happen because all assertions are already replaced with check
which pass error codes to the callers.

| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> ./ssl_gcache rse 12346 &
| [1] 29897
| [Fri Oct 30 22:35:43 1998] ssl_gcache: started
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> ps -ax | grep ssl_gcache 
|   306  ??  I      0:00.03 ssl_gcache 65534 12345
| 29897  p0  S      0:00.02 ./ssl_gcache rse 12346
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket en1 12346
| [Fri Oct 30 22:35:54 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
|ignored
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket en1 12346
| [Fri Oct 30 22:35:55 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
|ignored
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket en1 12346
| [Fri Oct 30 22:35:55 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
|ignored
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket en1 12346
| [Fri Oct 30 22:35:56 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
|ignored
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> echo "hello" | socket en1 12346
| [Fri Oct 30 22:35:56 1998] ssl_gcache: unexpected connect from 192.76.162.40 - 
|ignored
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :> ps -ax | grep ssl_gcache
|   306  ??  I      0:00.03 ssl_gcache 65534 12345
| 29897  p0  S      0:00.02 ./ssl_gcache rse 12346
| rse@en1:/e/apache/SSL/SRC/mod_ssl-2.0/pkg.apache/src/modules/ssl
| :>

And now I ask me why _isn't_ this better? I don't understand it, Ben. IMHO
this non-assertion way _is_ better, because it prevents the system from being
dropped down (kind of DoS) by a local attacker....

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to