https://bz.apache.org/bugzilla/show_bug.cgi?id=57832
--- Comment #7 from regilero <[email protected]> --- I made some tests with the last patch, on top of r1656259 's patch. If the extra content injected after the 1st response is less than 8000 bytes (more or less) I get 1 for the return of is_socket_connected instead of 2 (USE_ALTERNATE_IS_CONNECTED && defined(APR_MSG_PEEK version). Not always, the attack succeed at 90%. With a big injected response the socket read is not empty and is_socket_connected is detecting this fact, but I do not get any response (no 502/503/400, just an RST). So it means the real socket is empty (tested it with real reads and timeouts), but something as already stored this extra content and this storage is associated with the socket. So quite certainly something like some buckets which are not cleaned up after the 1st request. Note that this is hiding a potential problem that I had to fix on the 1st patch with backends sending one extra \r\n after the first response. But I think the final solution will have to mix this is_socket_connected and a real cleanup of all data read from the socket while processing the first response. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
