iRule with table apparently leaking memory

Question

We have an apparent memory leak that, according to F5, is the result of an iRule. We are using the 10.1 table command, with all entries set to a max life timeout of 1 hour. However, memory on our unit is steadily increasing, and according to to the bp memory output, is tied up in the iRules.

I did find SOL12245, which details a known memory leak in the table keys -subtable command, which we use. However, it specifically states that it doesn't apply to the command when the -count option is used, which is the only way that we use it. I can't see any other reason for the memory leak, unless the expiration only applies to keys, but the subtables never expire?

TIA for any help:

when RULE_INIT {

set ::pdfappmaxRate 20 ;set later per user from class

set static::pdfappwindowSecs 300 ;global

}

when HTTP_REQUEST {

if { [HTTP::method] eq "GET" } {

Check to make sure the user is not in a redirect loop because of not accepting cookies

if { (([HTTP::uri] contains "?tag=1?tag=1") or ([HTTP::uri] contains "&tag=1&tag=1")) } {

HTTP::redirect "http://ieeepdfapp.site.com/pdfapp/cookiedetectresponse.jsp"

}

if { (([HTTP::uri] contains "stamp.jsp") or ([HTTP::uri] contains ".pdf")) and not ([HTTP::header exists Range ]) and ([HTTP::cookie exists ERIGHTS])} {

log local0. "pdfapp PDF Initial download detected."

Extract clients IP address

set client_ip [IP::remote_addr]

set pdfapp_session [HTTP::cookie ERIGHTS]

set mypdfappMaxRate $::pdfappmaxRate

set pdfnum [table incr "pdfapp:$pdfapp_session"]

set orig_ip [table lookup -subtable session_map $pdfapp_session]

log local0. "Session ID $pdfapp_session should have IP [table lookup -subtable session_map $pdfapp_session]"

log local0. "Client actually has IP $client_ip"

table lifetime pdfapp:$pdfapp_session 3600

table timeout pdfapp:$pdfapp_session 3600

log local0. "Client $client_ip has $pdfnum total hits"

set tbl "countpdf:$pdfapp_session"

table set -subtable $tbl $pdfnum "ignored" indef $static::pdfappwindowSecs

log local0. "Client $pdfapp_session has: [table keys -subtable $tbl -count] pdf downloads in the past $static::pdfappwindowSecs seconds"

if { [table keys -subtable $tbl -count] > $mypdfappMaxRate } {

log local0. "PDF Abuse - User $client_ip, Session $pdfapp_session"

HTTP::respond 200 content {"Slow Down!"

}

return

}

hooleylist · Answer

Hi mrintzler, 
&nbsp;  
&nbsp; Can you clarify what you're trying to accomplish?   
&nbsp;  
&nbsp; Where are you defining $webapp_session?  I don't see this set in the iRule.  One issue I see is that you're incrementing the table before you check to see if you're over the limit.  It would be more efficient to check if you're over the limit before doing any table additions/changes. 
&nbsp;  
&nbsp; Also, if you're on a CMP capable platform, I'd also suggest changing the global variable $::webappmaxRate to a static variable, $static::::webappmaxRate.  This will allow the iRule to run on all TMM instances instead of just one. 
&nbsp;  
&nbsp; Aaron

kevin_davies_40 · Answer

I dont think we are seeing the whole picture here. As Aaron said $webapp_session is not defined anywhere.&nbsp;
&nbsp;table timeout webapp:$webapp_session 3600
&nbsp;table lifetime webapp:$webapp_session 3600 &nbsp;
&nbsp;The table key has not yet been defined (did you remove the command?) and you cannot update the lifetime once it has been set. Both those commands should have the key name in quotes. Also because you are using a webapp prefix I suggest you wrap the variable reference in {} for clarity and prevent misreferences. "webapp:${webapp_session}"&nbsp;
&nbsp;Regards&nbsp;
&nbsp;Jarv

mrintzler · Answer

Aaron/Jarv, 
&nbsp; Thanks for the responses.  It looks like in my sanitizing, I made a couple of mistakes.  I deleted the like that sets the webapps_session variable.  I've edited my post to restore it.  Also, the variable in my iRule isn't actually webapp.  It has the application name, so I changed it to sanitize before posting.  But I'm not even sure why I'm defining that particular table to begin with, since I don't reference it after setting the lifetime/timeouts. 
&nbsp;  
&nbsp; The point of this iRule is to track the PDF downloads for each user (by session cookie) and limit the users to a certain number of downloads within a sliding window. 
&nbsp;  
&nbsp; How can I check to see if I'm over the limit?  I couldn't find a command that would easily tell me the size.  &nbsp;

hooleylist · Answer

As long as you're editing the post, can you add [ code ] [/ code ] tags (without the spaces) to preserve the spacing in the iRule? 
&nbsp;  
&nbsp; Thanks, Aaron

mrintzler · Answer

Ok.  I've cleaned it up a bit, I think.   
&nbsp;  
&nbsp; At one point, I also had a function in this iRule to detect when a session's IP address changed because we had an issue with sessions being hijacked.  The application owners moved that logic into their app, so I took that section out.  I think I left those lifetime lines there by mistake.  I'll remove them tomorrow, but would that lead to memory leaking? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Mike 
&nbsp;  &nbsp;

Forum Discussion

iRule with table apparently leaking memory

7 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

Memory Safety: CISA and NSA guidance on CWE-1399

Leaked Credential Check with Advanced WAF

US Intelligence Leaks, SwaaS, and OpenAI bug bounty - April 8th - 14th - This Week in Security

Knowledge sharing: High CPU/Memory/Swap investigation/troubleshooting

Plugging Data Leaks