Mailing List Archive

clamd memory use DoS
I've got a 4MB email that will cause clamd to use >2GB of ram to scan.
This is obviously quite a problem for anyone using clamd on mail servers
(and was responsbile for all kinds of problems for my mail cluster.)

I can provide access to this message out of band.

--
Kelsey Cummings - kgc@sonic.net sonic.net, inc.
System Administrator 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
Re: clamd memory use DoS [ In reply to ]
On Saturday 27 Mar 2004 1:22 am, Kelsey Cummings wrote:
> I've got a 4MB email that will cause clamd to use >2GB of ram to scan.
> This is obviously quite a problem for anyone using clamd on mail servers
> (and was responsbile for all kinds of problems for my mail cluster.)

What version of ClamAV?
Have you tested against the latest version from CVS?
What operating system?

Please zip the e-mail using the password virus & send to bugs@clamav.net

> I can provide access to this message out of band.

-Nigel

--
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
njh@despammed.com http://www.bandsman.co.uk
Re: clamd memory use DoS [ In reply to ]
On Sat, Mar 27, 2004 at 08:17:48AM +0000, Nigel Horne wrote:
> On Saturday 27 Mar 2004 1:22 am, Kelsey Cummings wrote:
> > I've got a 4MB email that will cause clamd to use >2GB of ram to scan.
> > This is obviously quite a problem for anyone using clamd on mail servers
> > (and was responsbile for all kinds of problems for my mail cluster.)
>
> What version of ClamAV?

.70-rc1

> Have you tested against the latest version from CVS?

Nope.

> What operating system?

Linux, RH 7.3

> Please zip the e-mail using the password virus & send to bugs@clamav.net

Okie.

--
Kelsey Cummings - kgc@sonic.net sonic.net, inc.
System Administrator 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
Re: clamd memory use DoS [ In reply to ]
The problem with this is how clamd scans nested mime messages. If fed a
deeply recursive message it takes an huge amount of RAM to process. It
appears that some later CVS snapshot handle this better than .70rc does and
so I'm be upgrading to one of them shortly. However, even under the
snapshots, clamd still uses alot of RAM (several 100 MBs.) If more than
a few of these hit a busy server, even a well sized busy server, that
server is history. There are some hackish methods around this like putting
ulimits on clamd or using out of band monitoring to kill it when it gets
too big. However, I think clamd would bennefit from two additional
features.

1) Enable Excessive Mime Recursion detection. If is more than a what, 20
deep, it's not legit. (These loops I'm seeing go upwards of 4000 parts.)

2) Enable Configurable Memory cap to prevent DoS'ing the local box.
Hopefully as graceful as possible. Perhaps could be configured to fail
hard or soft.

--
Kelsey Cummings - kgc@sonic.net sonic.net, inc.
System Administrator 2260 Apollo Way
707.522.1000 (Voice) Santa Rosa, CA 95407
707.547.2199 (Fax) http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896