>And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better >soon. This (untested) patch should prevent the worst effects. A similar patch >should work for 1.2.x. A similar version of this patch works against Apache 1.2.5. I have made RPMs for RedHat, Caldera, SuSE, TurboLinux, and other RPM-based systems available at this location: http://www.samiam.org/blackdragon Patch for Apache 1.2.5 included. I have verified that this patch protects Apache 1.2.5 from the sioux DOS attack. - Sam *** apache_1.2.5/src/http_protocol.c.orig Sun Aug 9 11:44:00 1998 --- apache_1.2.5/src/http_protocol.c Sun Aug 9 11:53:13 1998 *************** *** 659,664 **** --- 659,665 ---- int len; char *value; char field[MAX_STRING_LEN]; + int nheaders=0; /* Read header lines until we get the empty separator line, * a read error, the connection closes (EOF), or we timeout. *************** *** 674,679 **** --- 675,686 ---- while (isspace(*value)) ++value; /* Skip to start of value */ table_merge(r->headers_in, field, value); + + if(++nheaders >= 100) { + r->status = HTTP_BAD_REQUEST; + return; + } + } }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:51 PDT