hey Matt -- what version of re2c is installed?
On Tue, Jun 30, 2009 at 18:43, Matt Elson<mel...@fastmail.net> wrote:
> Hey all,
>
> I stumbled upon an odd issue the other day that I'm having trouble
> tracking down. Namely, a certain rule in the sought rule set, when
> compiled for use with Rule2XSBody is causing the processing of *some*
> emails to, well, never really end. Piping the mail through spamassassin
> or into spamd just results in the process hanging and the memory usage
> going higher and higher (2+ gigs, easily) and seemingly ignoring any
> sort of timeouts. The process finally gets killed only when the OS
> notices it's out of memory and starts killing processes or when I'm able
> to sneak in and kill -9 it. There's nothing in the debug of SA whatsoever.
>
> I was wondering if anyone else has seen this or if it's some quirk of my
> environment. I admit that I'm no expert in this sort of thing, but
> (hopefully) some useful information is below the dotted line.
>
> -----
> This happened on four of my machines which have the following configuration:
>
>
> RHEL5.2 / SA 3.2.5 / Perl 5.8.8 / gcc 4.1.2
> RHEl5.2 / SA 3.2.4 / Perl 5.8.8 / gcc 4.1.2
> RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6
> RHELAS 4 (Update 6) / SA 3.2.4 / Perl 5.8.5 / gcc 3.4.6
>
>
> The SA is built from source off the main website, and the perl is just
> stock redhat.
>
> If I copy down all my rules/configuration to my Debian desktop using its
> packaging, the problem doesn't emerge (sa 3.2.5/perl 5.10.0/gcc 4.3.3 there)
>
> Removing the compiled rulesets works around the issue fairly handily.
> I'm stubborn though, so after I did so, I dug around a bit and it seems
> one specific body rule was causing the issue, namely:
>
> body __SEEK_1R0JFS /\x{ff}\x{fe} \x{00} \x{00} \x{00}
> \x{00}<\x{00}m\x{00}e\x{00}t\x{00}a\x{00}
> \x{00}h\x{00}t\x{00}t\x{00}p\x{00}-\x{00}e\x{00}q\x{00}u\x{00}i\x{00}v\x{00}=\x{00}\'\x{00}R\x{00}e\x{00}f\x{00}r\x{00}e\x{00}s\x{00}h\x{00}\'\x{00}
> \x{00}c\x{00}o\x{00}n\x{00}t\x{00}e\x{00}n\x{00}t\x{00}=\x{00}\'\x{00}0\x{00};\x{00}
> \x{00}u\x{00}r\x{00}l\x{00}=\x{00}h\x{00}t\x{00}t\x{00}p\x{00}:\x{00}\/\x{00}\/\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}.\x{00}/
>
> Once I comment out the rule, compiled rulesets work fine again. I don't
> know enough to know what the heck that regex even is, or why it would be
> causing problems (I basically found which rule was causing a problem by
> commenting out anything that looked scary to me, running sa-compile, and
> testing to see if I the "hanging" behavior went away)
>
> I'm not sure the best way to post up a sample of the mail that was
> choking the system without it getting mangled (though I'll gladly post
> it if someone can show me where), but fooling around, it seemed to come
> down to the message containing this as one of its parts:
>
>
> -
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
> (Any content could go here)
> =00
> -
>
> Removing =00 OR Content-Transfer-Encoding: quoted-printable causes the
> mail to pass through without a problem. It seems to only be both
> combined that resulted in the behavior I saw.
>
> Anyhoo, any thoughts? This a legitimate bug or something wrong with my
> setup?
>
> Matt
>
>
