Bug 37150

Summary: denial of service on many and long requests on v5.5.x
Product: Tomcat 5 Reporter: David Maciejak <david.maciejak>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 5.5.0   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description David Maciejak 2005-10-18 23:16:59 UTC 
Hi,

I find some time to try to understand why sometimes my tomcat burns the CPU

The fact:
with long request (for example complex jsp or big dir listing) and if there is
more than 1 simultaneous connection (is easy to reproduce the case with many
connections); catalina stop responding, java takes all the CPU!

I have tested that with default conf (perhaps there are some parameters to
tune), I have create many files in a directory and many threads trying to get
the directory listing.

Tomcat version from 5.5.0 to 5.5.11 included are vulnerable, 5.5.12 seems to be
ok. I have not tested older version.

Have I missed something in the conf ?

cheers

David Maciejak
Comment 1 David Maciejak 2005-10-19 00:03:16 UTC 
v5.0.28 seems ok
Comment 2 Remy Maucherat 2005-11-08 22:12:21 UTC 
This bug report does not make any sense, sorry.
Comment 3 Mark Thomas 2005-11-08 22:51:38 UTC 
It does make sense and I have reproduced it.
Comment 4 Remy Maucherat 2005-11-08 22:54:56 UTC 
Cool. Do you have an explanation for: "Tomcat version from 5.5.0 to 5.5.11
included are vulnerable, 5.5.12 seems to be ok." ?
Comment 5 Mark Thomas 2005-11-08 23:05:57 UTC 
(In reply to comment #4)
> Cool. Do you have an explanation for: "Tomcat version from 5.5.0 to 5.5.11
> included are vulnerable, 5.5.12 seems to be ok." ?

Looks like his testing of 5.5.12 was bad. I can easily reproduce this using the
latest source from SVN and the problem area has remained unchanged. I posted an
explanation of what is going on to the dev list.
Comment 6 Remy Maucherat 2005-11-08 23:45:05 UTC 
(In reply to comment #5)
> Looks like his testing of 5.5.12 was bad. I can easily reproduce this using the
> latest source from SVN and the problem area has remained unchanged. I posted an
> explanation of what is going on to the dev list.

The abstraction layer will make directory listings expensive (actually,
directory listings in Java are going to be expensive regardless), so I don't see
how this can be optimized. The fact remains however that this bug report is
nonsense.
Comment 7 David Maciejak 2005-11-09 00:30:23 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Cool. Do you have an explanation for: "Tomcat version from 5.5.0 to 5.5.11
> > included are vulnerable, 5.5.12 seems to be ok." ?
> 
> Looks like his testing of 5.5.12 was bad. I can easily reproduce this using the
> latest source from SVN and the problem area has remained unchanged. I posted an
> explanation of what is going on to the dev list.
> 

In fact, I have not been able to reproduce the problem on 5.5.12. The java
thread burns the cpu during some time and after waiting enough all goes to a
'normal' state.
Comment 8 Mark Thomas 2005-11-09 23:18:33 UTC 
This is now fixed.

The obvious optimisation has been made in the code but this only has a marginal
impact.

Given the high cost of generating the listings in Java, this code cannot be
optimised to the point where large directory listings will not place a
disproportionate load on the server. Therefore, directory listing is now
disabled by default and warnings have been added to both the documentation and
the file where this is configured.

These changes will be included in versions 5.5.13+, 5.0.31+ and 4.1.32+

Note that releases of the 4.1.x and 5.0.x branches are now infrequent and that
none are planned at present.