Several people in the past have reported problems with large uploads
and Apache consumimg all available memory.

Although it is claimed that "MaxRequestInMem" and "MaxRequestLen" introduced
in mod_fcgid 2.2 can be used to overcome this memory consumption problem,
it appears that it does not work as intended and the bug remains.

Essentially this can quickly and easily result in a DoS attack.

Memory of the Apache child process appears to increase by approximately the size
of the file being uploaded.  For example, if I upload a 100MB file the 
Apache child 
will grow by around 100MB of memory.

I'm not much of a programmer, but I've taken a look at the code.  In 
line 552, there is the following:

if (request_size > max_mem_request_len) {

Just before this line is executed, I added a line in source code to log the 
of 'request_size' and 'max_mem_request_len'.  The value of request_size is 
usually 8000
but is sometimes less than that, but never more than 8000.  The value of 
max_mem_request_len is 65536, which is the default value (64KB).

Therefore, as request_size is not greater than max_mem_request_len, the block 
of code added to use a temporary file is never executed.

I'm using these versions on a Linux system

Apache 2.2.8
mod_fcgid 2.2
PHP 5.2.6

I would greatly appeciate if the mod_fcgid developers could take another look 
problem.  I am willing to test any patches in order to assist with fixing 
this problem.


Sent from Yahoo! Mail.
A Smarter Email
Check out the new Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
Mod-fcgid-users mailing list

Reply via email to