I have a user who sends a long sequence of chars. He does this about 3 times a day,
and it hangs the entire synchronet, what can be done to prevent this??

Log:

2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Path is: S:\sbbs\webv4\root\index.xjs
2024-12-29 20:36:39 0660 JavaScript: Initializing User Objects
2024-12-29 20:36:39 0660 RX: 159
2024-12-29 20:36:39 0660 RX:
2024-12-29 20:36:39 0660 RX: 0
2024-12-29 20:36:39 0660 RX:
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Adding query value page=000-register.xjs at pos 0
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Adding query value {"address":"PEcMePVfZfxIp","alias":"ZjGOjPUnnL","birth":"CdgyFQhpAzPiluF","gender":"O","location":"sJwoLWdhauTLhNd","ne tmail":"winterrigerbrdill@yahoo.com","password1":"d3Uf7vvFNB9Puf!","password2":"d3Uf7vvFNB9Puf!","phone":"7670439781"," realname":"ZcWolXOak","send-me-free-stuff":"eiJiUTxBDj","subscribe-to-newsletter":"1","zipcode":"YAbvkZDm"}= at pos 0
2024-12-29 20:36:39 0660 JavaScript: Compiling script: S:\sbbs\exec\xjs_handler.js
2024-12-29 20:36:39 0660 JavaScript: Executing script: S:\sbbs\exec\xjs_handler.js
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] <Guest> logged-in

it pop up a debug error:
Program; WEBSRVR.DLL
HEAP CORRUPTION DETECTED after normal block (#143377) at
0x0B7C56B8
CRT detected that the application wrote to memory after end of heap buffer.

/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Max wrote to Digital Man <=-

I have a user who sends a long sequence of chars. He does this about 3 times a day, and it hangs the entire synchronet, what can be done to prevent this??

That's not a user, it's a hacker/bot.

Ban/block the IP/hostname he's calling from, for starters.



... Can you tell me how to get, how to get to Sesame Street?
--- MultiMail/Linux v0.52
þ Synchronet þ Palantir BBS * palantirbbs.ddns.net * Pensacola, FL
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Max to Digital Man on Sun Dec 29 2024 09:19 pm

I have a user who sends a long sequence of chars. He does this about 3 times a day,
and it hangs the entire synchronet, what can be done to prevent this??

Log:

2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Path is: S:\sbbs\webv4\root\index.xjs
2024-12-29 20:36:39 0660 JavaScript: Initializing User Objects
2024-12-29 20:36:39 0660 RX: 159
2024-12-29 20:36:39 0660 RX:
2024-12-29 20:36:39 0660 RX: 0
2024-12-29 20:36:39 0660 RX:
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Adding query value page=000-register.xjs at pos 0
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] Adding query value {"address ":"PEcMePVfZfxIp","alias":"ZjGOjPUnnL","birth":"CdgyFQhpAzPiluF"," gender":"O"," location":"sJwoLWdhauTLhNd","ne tmail":"winterrigerbrdill@yahoo.com","password1 ":"d3Uf7vvFNB9Puf!","password2":"d3Uf7vvFNB9Puf!","phone":"7670439781"," realna me":"ZcWolXOak","send-me-free-stuff":"eiJiUTxBDj","subscribe-to-newsl etter":"1" ,"zipcode":"YAbvkZDm"}= at pos 0
2024-12-29 20:36:39 0660 JavaScript: Compiling script: S:\sbbs\exec\xjs_handler.js
2024-12-29 20:36:39 0660 JavaScript: Executing script: S:\sbbs\exec\xjs_handler.js
2024-12-29 20:36:39 0660 HTTPS [203.95.221.254] <Guest> logged-in

it pop up a debug error:
Program; WEBSRVR.DLL
HEAP CORRUPTION DETECTED after normal block (#143377) at
0x0B7C56B8
CRT detected that the application wrote to memory after end of heap buffer.

Can you find the actual http request in your log and send that? It definitely sounds like a bug in websrvr.c that I'd like to find and fix.
--
digital man (rob)

Synchronet "Real Fact" #73:
SyncTERM (created by Deuce) contains portions of Synchronet and SEXYZ code Norco, CA WX: 59.3øF, 71.0% humidity, 5 mph W wind, 0.01 inches rain/24hrs
--- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Digital Man to Max on S”n Dec 29 2024 15:33:28

Can you find the actual http request in your log and send that? It definitely sounds like a bug in websrvr.c that
I'd like to find and fix.

It's not saved in any log at all, but taken from the screen, so I don't have that line now, but I'll see if I can find it next time.

Thank You,
/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Digital Man to Max on S”n Dec 29 2024 15:33:28

hi,

Now he hang it again.

You find my log at https://pepzi.net/hang.zip

It happens at 17.30 in the log.

/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Max to Digital Man on Mon Dec 30 2024 06:11 pm

Re: hanging my bbs
By: Digital Man to Max on S”n Dec 29 2024 15:33:28

hi,

Now he hang it again.

You find my log at https://pepzi.net/hang.zip

It happens at 17.30 in the log.

Did you get the same error you reported previously, "HEAP CORRUPTION DETECTED"?

I see a similar attempt to create a new/spam user at 17:30 (HTTPS socket/session 2992), but the web server still seems to be running and accepting requests after that time (at least until 17:59).

Can you elaborate?
--
digital man (rob)

Synchronet/BBS Terminology Definition #85:
Telix = Commercial MS-DOS and Windows communications/terminal program
Norco, CA WX: 64.3øF, 61.0% humidity, 1 mph WNW wind, 0.00 inches rain/24hrs --- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Max to Digital Man on Mon Dec 30 2024 06:11 pm

Re: hanging my bbs
By: Digital Man to Max on S”n Dec 29 2024 15:33:28

hi,

Now he hang it again.

You find my log at https://pepzi.net/hang.zip

It happens at 17.30 in the log.

The only thing really suspect is that long (336 char) JSON-formatted query key apparently provided by the client (spam bot, most likely) in the POST DATA:

2024-12-30 17:30:59 2992 HTTPS [176.88.166.199] Adding query value {"address":"AfNHgbfqdItwR","alias":"arqVgqigSEyE","birth":"UzLTgUVNCfl","gender":"O","location":"sgLmNzAjaqD","netmail":"izozebecu12@gmail.com","password1":"Rx148LK7BDpxlD!","password2":"Rx148LK7BDpxlD!","phone":"8171440807","realname":"FstnDlAvvm","send-me-free-stuff":"HaXGKEEsa","subscribe-to-newsletter":"1","zipcode":"HWJMktCJIa"}= at pos 0

I found (and just fixed) a lack of error checking when converting that query value string to a JS string. I'm not sure if that's part of this issue (HEAP CORRUPTION / hang) or not, but it's worth updating and seeing if/when it happens again and continue to provide the relevant log data. Much appreciated,
--
digital man (rob)

This Is Spinal Tap quote #15:
Review on "Shark Sandwich", merely a two word review: "Shit Sandwich".
Norco, CA WX: 64.6øF, 64.0% humidity, 1 mph SSW wind, 0.00 inches rain/24hrs --- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Digital Man to Max on M†n Dec 30 2024 14:07:10

I see a similar attempt to create a new/spam user at 17:30 (HTTPS socket/session 2992), but the web server still seems to be running and
accepting requests after that time (at least until 17:59).

Can you elaborate?

It hangs at 17:30
and stops logging, and there is a popup with an error, when I get to the computer and click on the error window, ignore, and
it continues to work and log, but it works very poorly, so I have to restart. At 17.59 i click at ignore.

/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Max to Digital Man on Tue Dec 31 2024 03:00 am

Re: hanging my bbs
By: Digital Man to Max on M†n Dec 30 2024 14:07:10

I see a similar attempt to create a new/spam user at 17:30 (HTTPS socket/session 2992), but the web server still seems to be running and accepting requests after that time (at least until 17:59).

Can you elaborate?

It hangs at 17:30
and stops logging, and there is a popup with an error, when I get to the computer and click on the error window, ignore, and
it continues to work and log, but it works very poorly, so I have to restart. At 17.59 i click at ignore.

I see, that explains the gap in the log.

I noticed your JS runtime heap size is a bit small at 16M. The default nowadays is 10x that (160M). Just as an experiment, you want to try increasing that value (e.g. in SBBSCTRL:File->properties->JavaScript->Heap Size)?

I'd like to root-cause and resolve the issue, so steps like filtering the client IP, increasing the JS heap, could just work-around the issue which could always pop-up again in new and different ways. So it's good that you have a reproduction case/configuration as well and that can be valuable.

I do think it's interesting that you're getting a debug assertion, which I think can only happen in debug builds (e.g. of websrvr.dll). Are you building your own Synchronet executables? If you are, that implies you'd have MSVS/C++ installed and could potentially attach its debugger to the crashed sbbs and get a backtrace (callstack). That could be very useful in helping to root-cause and resolve this heap corruption.

Another thing that could potentially help would be a packet capture (e.g. using Wireshark), so we could maybe feed that same HTTP POST request back into a webserver and reproduce the crash.
--
digital man (rob)

Steven Wright quote #20:
If Barbie is so popular, why do you have to buy her friends?
Norco, CA WX: 56.1øF, 80.0% humidity, 2 mph WNW wind, 0.00 inches rain/24hrs --- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Digital Man to Max on M†n Dec 30 2024 15:01:16

I found (and just fixed) a lack of error checking when converting that query value string to a JS string. I'm not sure if that's part of
this issue (HEAP CORRUPTION / hang) or not, but it's worth updating and seeing if/when it happens again and continue to provide the
relevant log data. Much appreciated,
--

i have loaded the new update now. Will see when he reproduces again, and try to save the log.
Thank you

/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Digital Man to Max on M†n Dec 30 2024 18:16:54

I noticed your JS runtime heap size is a bit small at 16M. The default nowadays is 10x that (160M). Just as an experiment, you want to
try increasing that value (e.g. in SBBSCTRL:File->properties->JavaScript->Heap Size)?

I has change it to 160M now.

I do think it's interesting that you're getting a debug assertion, which I think can only happen in debug builds (e.g. of
websrvr.dll). Are you building your own Synchronet executables? If you are, that implies you'd have MSVS/C++ installed and could
potentially attach its debugger to the crashed sbbs and get a backtrace (callstack). That could be very useful in helping to
root-cause and resolve this heap corruption.

Yes, i build it myself with MS Visual Studio 2022, and it is debug build, but I cant mush about debugging...

Another thing that could potentially help would be a packet ure (e.g. using Wireshark), so we could maybe feed that same HTTP POST
request back into a webserver and reproduce the crash.

will try that.

All you have done didn't help, he is back again. And the error windows still popup.
Lastest log at https://pepzi.net/hang2.txt
Thanks anyway

digital man (rob)

/Max

---
þ Synchronet þ Pepzi - Pepzi.net - 1000/1000 MBits
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

Re: hanging my bbs
By: Max to Digital Man on Tue Dec 31 2024 01:23 pm

Re: hanging my bbs
By: Digital Man to Max on M†n Dec 30 2024 18:16:54

I noticed your JS runtime heap size is a bit small at 16M. The default nowadays is 10x that (160M). Just as an experiment, you want to try increasing that value (e.g. in SBBSCTRL:File->properties->JavaScript->Heap Size)?

I has change it to 160M now.

I do think it's interesting that you're getting a debug assertion, which I think can only happen in debug builds (e.g. of websrvr.dll). Are you building your own Synchronet executables? If you are, that implies you'd have MSVS/C++ installed and could potentially attach its debugger to the crashed sbbs and get a backtrace (callstack). That could be very useful in helping to root-cause and resolve this heap corruption.

Yes, i build it myself with MS Visual Studio 2022, and it is debug build, but I cant mush about debugging...

Why not? That would be *really* helpful for root-causing and resolving the problem:
https://wiki.synchro.net/howto:msvc

You often can just attach the process (sbbsctrl.exe) with the debugger (MSVS) at the time of the crash and copy the backtrace/callstack.

Another thing that could potentially help would be a packet ure (e.g. using Wireshark), so we could maybe feed that same HTTP POST request back into a webserver and reproduce the crash.

will try that.

All you have done didn't help, he is back again. And the error windows still popup.
Lastest log at https://pepzi.net/hang2.txt
Thanks anyway

Does it happen if you use the (release) binaries from sbbs_dev.zip instead? I'm not clear why you're building debug binaries yourself if you can't (or won't) help debug it.
--
digital man (rob)

Rush quote #24:
The more that things change, the more they stay the same
Norco, CA WX: 60.8øF, 68.0% humidity, 2 mph WNW wind, 0.00 inches rain/24hrs --- SBBSecho 3.23-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)