Phase-1 drop leaves Apache-Handler proxy-server stuck

[ferrieux]

When a rule decides a drop in phase 1, the TCP is immediately closed (which is good and intended), however the handler behind is still somehow called. If this handler is "proxy-server", it will stay stuck until the global request timeout (5mn) shuts it down.
This has the nasty side-effect of keeping an Apache thread of process busy all that time.

Example with a (CRS-inspired) rule that drops GETs with a content-length:

SecRule REQUEST_METHOD "^(?:GET|HEAD)$"
"msg:'GET or HEAD Request with Body Content.',
severity:'2',
id:'960011',
phase:1,
drop,
logdata:'%{matched_var}',
t:none,
tag:'OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ',
tag:'CAPEC-272',
chain"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
"t:none,
setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},
setvar:'tx.%{rule.id}-OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ-%{matched_var_name}=%{matched_var}'"

The %D (duration) log pattern, for such cases, expands to 300000000 (5 minutes), though tcpdump shows that the TCP was terminated quickly (FINs exchanged with client).

[ferrieux]

Digging a bit shows that this behavior is due to a bug in Apache (2.2), which blindly kept trying to add the just-closed socket to its poll list. The following one-line patch to libapr-1 fixes the issue.
Thus you can close the current ticket to mod_security.

--- httpd-2.2.18/srclib/apr/support/unix/waitio.c~ 2006-08-03 12:55:31.000000000 +0200
+++ httpd-2.2.18/srclib/apr/support/unix/waitio.c 2014-01-13 08:53:51.000000000 +0100
@@ -47,6 +47,7 @@
pfd.fd = f ? f->filedes : s->socketdes;
pfd.events = for_read ? POLLIN : POLLOUT;

• if (pfd.fd<0) return EINVAL;
  do {
  rc = poll(&pfd, 1, timeout);
  } while (rc == -1 && errno == EINTR);

[victorhora]

Closing this one as the bug was found to be on libapr.

[csanders-git]

has the issue been fixed upstream in libapr? are they aware of the issue?

[victorhora]

I don't think so @csanders-git. But feel free to submit the pull request if you want to help us: https://github.com/apache/apr/blob/1.6.x/support/unix/waitio.c =)

Thanks!

[marcstern]

Did you reproduce it in Apache 2.4?

[marcstern]

This looks a very safe patch (useless in the worth case), so I created a pull request for it.
apache/apr#5

[victorhora]

Nice @marcstern!

But I just noticed something: I'm not sure if Apache will eventually accept that pull request on Github. It looks like this is only a mirror and there's some pending PR over there which looks like nobody is looking at.

Maybe pull requests needs to be submitted using their own process:

https://apr.apache.org/patches.html
https://git-wip-us.apache.org/

What you think about trying submitting to these ones as well to make sure it will be on their pipeline? :)

[marcstern]

Patch submitted on https://bz.apache.org/bugzilla/show_bug.cgi?id=61985