Date: Sun, 9 Aug 1998 12:53:56 -0700
From: bugtraq <[email protected]>
To: [email protected]Subject: Re: YA Apache DoS attack
>And here's a band-aid for 1.3.1 - I'm sure we'll come up with something better
>soon. This (untested) patch should prevent the worst effects. A similar patch
>should work for 1.2.x.
A similar version of this patch works against Apache 1.2.5. I have made
RPMs for RedHat, Caldera, SuSE, TurboLinux, and other RPM-based systems
available at this location:
http://www.samiam.org/blackdragon
Patch for Apache 1.2.5 included. I have verified that this patch protects
Apache 1.2.5 from the sioux DOS attack.
- Sam
*** apache_1.2.5/src/http_protocol.c.orig Sun Aug 9 11:44:00 1998
--- apache_1.2.5/src/http_protocol.c Sun Aug 9 11:53:13 1998
***************
*** 659,664 ****
--- 659,665 ----
int len;
char *value;
char field[MAX_STRING_LEN];
+ int nheaders=0;
/* Read header lines until we get the empty separator line,
* a read error, the connection closes (EOF), or we timeout.
***************
*** 674,679 ****
--- 675,686 ----
while (isspace(*value)) ++value; /* Skip to start of value */
table_merge(r->headers_in, field, value);
+
+ if(++nheaders >= 100) {
+ r->status = HTTP_BAD_REQUEST;
+ return;
+ }
+
}
}
