From 6a837618b5ae8253ff00c75b628eaa9d590e85f2 Mon Sep 17 00:00:00 2001 From: Georg Hopp Date: Sat, 5 Jul 2014 11:38:46 +0100 Subject: [PATCH] add todo for session memory overflow --- include/session.h | 37 ++++++++++++++++++++++++++++++++++++ src/router/router.c | 2 ++ tests/suppress/external.supp | 7 +++++++ 3 files changed, 46 insertions(+) diff --git a/include/session.h b/include/session.h index 97be928..156c0af 100644 --- a/include/session.h +++ b/include/session.h @@ -32,6 +32,43 @@ // livetime of a session in seconds #define SESSION_LIVETIME 300 // 5 minutes +/** + * Having only a session livetime is not enough. + * An attacker might create a client that never sends a session id + * back and continuously sends requests. This will then result + * in newly created sessions. + * The session class uses 57 bytes + * But there is also a user object created all the time. + * This uses 80 bytes. + * Each user in turn contains a uuid which is 37 bytes. + * Each of these are a class which adds another 221 bytes to each. + * So the following is allocated for these three objects: + * Session: 57 + 221 = 278 + * User: 80 + 221 = 301 + * Uuid: 37 + 221 = 258 + * My allocater only allocates power of 2 sizes to optimize + * memory management so we end up with 512 bytes per object which is + * 1536 bytes per created session. + * The current code is able to handle more than 25000 request per + * second if there is no session id provided on my hardware. + * This sums up to 10GB of used memory within the 5 minutes + * session livetime. + * + * @TODO + * One possible solution is to prevent the creation of sessions + * for subsequent requests from the same connection or ip within + * a given time range. This time range should be the session + * livetime. This would effectively prevent such malicious requests + * from doing harm but also prevents non attackers that did a + * first request from another client (lets say telnet) from getting + * a session in their browser. This might be accaptable if the user + * gets a fitting error message. + * To prevent this we could associate the session with the ip it was + * created on. If there then is a subsequent request from the same ip + * without a sessionid, the old session can be removed and a new one + * can be created. This might give a small but acceptable performance + * hit. + */ TR_CLASS(Session) { char id[37]; diff --git a/src/router/router.c b/src/router/router.c index 6118098..0f67e92 100644 --- a/src/router/router.c +++ b/src/router/router.c @@ -42,6 +42,7 @@ routerCtor(void * _this, va_list * params) this->application = va_arg(*params, Application); this->functions = TR_new(TR_Hash); this->handle = dlopen(NULL, RTLD_LAZY); + dlerror(); this->prefix = PREFIX; this->nprefix = sizeof(PREFIX) - 1; @@ -58,6 +59,7 @@ routerDtor(void * _this) { Router this = _this; TR_delete(this->functions); + dlerror(); dlclose(this->handle); } diff --git a/tests/suppress/external.supp b/tests/suppress/external.supp index c27e3e3..3f45a68 100644 --- a/tests/suppress/external.supp +++ b/tests/suppress/external.supp @@ -43,3 +43,10 @@ fun:ldap_open_defconn } +{ + Ignore dlopen bug. + Memcheck:Leak + ... + fun:_dl_open + ... +}