<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Hi,</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">I am using mochiweb as a https
web server for my application (Secured socket layer). I am new to security. </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">One of the users reported
that sending random data to the web server port makes beam.smp to consume 100%
CPU indefinitely for a very long period.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Step to reproduce</span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Start
a mochiweb https server (can use mochiweb web storage app example provided with
no other options) on a specific port (ex: 8443 )</span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Run
the command “</span>nc<span style="mso-spacerun:yes">  </span>[IP address]<span style="mso-spacerun:yes">  </span>8443 <<span style="mso-spacerun:yes"> 
</span>/dev/urandom”<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"></span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">3.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">The
server rejects the connection (you may get ssl record error sometimes). The command
returns to the shell</span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">4.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Repeat
the above command for some time till the command doesn’t return back to shell.</span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">5.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Observe
beam.smp taking 100% CPU and also<span style="mso-spacerun:yes">  </span>memory
getting increase. (It may reach system limit and crash)</span></p>

<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><span style="mso-ascii-font-family:Calibri;mso-fareast-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><span style="mso-list:Ignore">6.<span style="font:7.0pt "Times New Roman"">      
</span></span></span><span style="mso-ascii-font-family:Calibri;
mso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:#1F497D">If
you stop the command (nc ^C), it returns to normal</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Observations</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">It is reproducible in both Linux
and windows.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">It happens for other https web
server (tried with musultin)</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">It does not happen for http
server (should be in lib ssl). </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Tried giving different SSL options
like {verify, verify_peer} with empty certificate as valid, but did not help.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">For other web servers
written in other language this is not the behavior. Example lighttpd (php) nc
just returns back to shell everytime.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">I debugged the issue to
find that in other cases where the nc commands return immediately to
shell the ssl connection does not succeed (behaves normally).</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">But for the case where nc
does not return back, the call is in an infinite loop “</span>next_tls_record
in ssl_connection.erl”<span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> , thus making the CPU to
take 100% and in memory increase.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">This can lead denial of
service attack. Is this a bug and should I raise it in bug report forum.</span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"> </span></p>

<p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Any help will be
appreciated.</span></p><p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><br></span></p><p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D"><br></span></p><p class="MsoNormal"><span style="mso-ascii-font-family:Calibri;mso-hansi-font-family:
Calibri;mso-bidi-font-family:Calibri;color:#1F497D">Thanks & Regards,</span></p><p class="MsoNormal"><font class="Apple-style-span" color="#1f497d">Vinod</font></p><div><br></div>