On a related note, this reminded me of the "AV DoS", as it was recently on Bugtraq (again). AV scanners can scan compressed archives, but some scanners do not use proper mechanism to detect multiple compressed archives inside compressed archives, which in effect creates a bomb, cuz they need to unpack the archives before scanning. While this could keep only the scanner busy indefinately and not crash Linux, it would also fill up the $TMP partition: if using /tmp, then other Linux apps looses the capability to use /tmp. If using /var/tmp, (or symlinked /tmp to /var/tmp) then other Linux apps looses the capability to use /tmp, and eventually loose ANY system logging. If /var and/or /tmp are linked to the VFS root, then any writes could eventually be denied (kinda fun on reboot). Goes to show "large number of files" doesn't necessarily need to be fifty million to cause problems.
|