[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
- From: William Ahern <william@...>
- Date: Wed, 4 Jan 2012 17:18:20 -0800
On Wed, Jan 04, 2012 at 04:16:00PM -0800, Sam Roberts wrote:
> OK, so quoting the report:
>
> ruby could be caused to take 6 hours of i7 CPU time to parse a 2 MB
> post request
>
> That seems ripe for exploit.
>
> Whereas I rearranged your code to run standalone, and what I'm seeing
> for 8MB of input to lua is it goes from about 2 seconds with random
> data to about 44 seconds with crafted data. And I have an i3 CPU, not
> i7, for what its worth.
>
> That's not blowing me away.
>
Try this patch. Let me know when it finishes ;)
--- TestHeader.lua.old Wed Jan 4 17:15:34 2012
+++ TestHeader.lua Wed Jan 4 17:15:56 2012
@@ -14,7 +14,7 @@
local function Random()
local aBuffer = {}
- for anIndex = 1, 32 do
+ for anIndex = 1, 34 do
aBuffer[ anIndex ] = string.char( math.random( 59, 126 ) )
end
@@ -22,9 +22,11 @@
end
local function NotSoRandom()
- local aChar = string.char( math.random( 59, 126 ) )
+ local aChar = 'a'
- return ( '%s%s%s%s%s' ):format( ( aChar ):rep( 28 ),
+ return ( '%s%s%s%s%s%s%s' ):format( ( aChar ):rep( 28 ),
+ string.char( math.random( 59, 126 ) ),
+ aChar,
string.char( math.random( 59, 126 ) ),
aChar,
string.char( math.random( 59, 126 ) ),
- References:
- Re: Hash Table Collisions (n.runs-SA-2011.004), Miles Bader
- Re: Hash Table Collisions (n.runs-SA-2011.004), Ashwin Hirschi
- Re: Hash Table Collisions (n.runs-SA-2011.004), Miles Bader
- Re: Hash Table Collisions (n.runs-SA-2011.004), William Ahern
- Re: Hash Table Collisions (n.runs-SA-2011.004), William Ahern
- Re: Hash Table Collisions (n.runs-SA-2011.004), Gé Weijers
- Re: Hash Table Collisions (n.runs-SA-2011.004), William Ahern
- Re: Hash Table Collisions (n.runs-SA-2011.004), Sam Roberts
- Re: Hash Table Collisions (n.runs-SA-2011.004), Petite Abeille
- Re: Hash Table Collisions (n.runs-SA-2011.004), Sam Roberts
