Dominic Germain writes:
> Hi,
>
> I'm running the following rules in my local rules for a while and it
> works flawlessly under RedHat EL 3 (Perl 5.8.0):
>
> rawbody TABLEOBFU /
> <td([^>]|"[^"]*"|'[^']*')*>(<([^>]|"[^"]*"|'[^']*')*>)*[a-z]{1,2}
> (<([^>]|"[^"]*"|'[^']*')*>)*<\/td([^>]|"[^"]*"|'[^']*')*>/i
>
> Recently, we move to Apple Mac OS X 10.5 server with Perl 5.8.8. We
> start getting SIGCHLD error and 0/0 scores. I've found that TABLEOBFU
> rule crash if there is a large table (~32k) inside the mail... I was
> able to reproduce it under Redhat EL 5 also (Perl 5.8.8) but HTML must
> be 2 times larger (~64k).
>
> I also try with the following rule I got from the mailing list. Same
> problem.
>
> rawbody TABLEOBFU /
> <td([^>]|"[^"]*"|'[^']*')*>(<([^>]|"[^"]*"|'[^']*')*>)*[a-z]{1,2}
> (<([^>]|"[^"]*"|'[^']*')*>)*<\/td([^>]|"[^"]*"|'[^']*')*>/i
>
> It seems to be something related to allocated memory for the spamd
> script...
>
> Anything known about that issue? Is is possible to "skip" a test
> according to mail size?
The best fix would be to rewrite those rules not to use /*/, to use
/{0,n}/ instead, and to use /(?...)/ instead of /(...)/ . You could also
upgrade to perl 5.10, which may have this bug fixed iirc; however you
would still be vulnerable to another side-effect of that kind of regexp,
which is exponential runtime. unlimited quantifiers like + and * are very
bad news in SA rules.
--j.
