hey Matt -- what version of re2c is installed?
On Tue, Jun 30, 2009 at 18:43, Matt Elson<mel...@fastmail.net> wrote: > Hey all, > > I stumbled upon an odd issue the other day that I'm having trouble > tracking down. Namely, a certain rule in the sought rule set, when > compiled for use with Rule2XSBody is causing the processing of *some* > emails to, well, never really end. Piping the mail through spamassassin > or into spamd just results in the process hanging and the memory usage > going higher and higher (2+ gigs, easily) and seemingly ignoring any > sort of timeouts. The process finally gets killed only when the OS > notices it's out of memory and starts killing processes or when I'm able > to sneak in and kill -9 it. There's nothing in the debug of SA whatsoever. > > I was wondering if anyone else has seen this or if it's some quirk of my > environment. I admit that I'm no expert in this sort of thing, but > (hopefully) some useful information is below the dotted line. > > ----- > This happened on four of my machines which have the following configuration: > > > RHEL5.2 / SA 3.2.5 / Perl 5.8.8 / gcc 4.1.2 > RHEl5.2 / SA 3.2.4 / Perl 5.8.8 / gcc 4.1.2 > RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6 > RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6 > > > The SA is built from source off the main website, and the perl is just > stock redhat. > > If I copy down all my rules/configuration to my Debian desktop using its > packaging, the problem doesn't emerge (sa 3.2.5/perl 5.10.0/gcc 4.3.3 there) > > Removing the compiled rulesets works around the issue fairly handily. > I'm stubborn though, so after I did so, I dug around a bit and it seems > one specific body rule was causing the issue, namely: > > body __SEEK_1R0JFS /\x{ff}\x{fe} \x{00} \x{00} \x{00} > \x{00}<\x{00}m\x{00}e\x{00}t\x{00}a\x{00} > \x{00}h\x{00}t\x{00}t\x{00}p\x{00}-\x{00}e\x{00}q\x{00}u\x{00}i\x{00}v\x{00}=\x{00}\'\x{00}R\x{00}e\x{00}f\x{00}r\x{00}e\x{00}s\x{00}h\x{00}\'\x{00} > \x{00}c\x{00}o\x{00}n\x{00}t\x{00}e\x{00}n\x{00}t\x{00}=\x{00}\'\x{00}0\x{00};\x{00} > \x{00}u\x{00}r\x{00}l\x{00}=\x{00}h\x{00}t\x{00}t\x{00}p\x{00}:\x{00}\/\x{00}\/\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}/ > > Once I comment out the rule, compiled rulesets work fine again. I don't > know enough to know what the heck that regex even is, or why it would be > causing problems (I basically found which rule was causing a problem by > commenting out anything that looked scary to me, running sa-compile, and > testing to see if I the "hanging" behavior went away) > > I'm not sure the best way to post up a sample of the mail that was > choking the system without it getting mangled (though I'll gladly post > it if someone can show me where), but fooling around, it seemed to come > down to the message containing this as one of its parts: > > > - > Content-Type: text/html; > Content-Transfer-Encoding: quoted-printable > > (Any content could go here) > =00 > - > > Removing =00 OR Content-Transfer-Encoding: quoted-printable causes the > mail to pass through without a problem. It seems to only be both > combined that resulted in the behavior I saw. > > Anyhoo, any thoughts? This a legitimate bug or something wrong with my > setup? > > Matt > >