Forum Discussion
Nick_T_68319
Nimbostratus
NimbostratusiRules containing an escaped newline character can cause TMM to crash.
I submitted my qkview to iHealth and a medium alert showed up for "iRules containing an escaped newline character can cause TMM to crash."
Recommendation resolution
Examine the iRules listed below for suspended commands, and remove all instances of escaped newline characters which precede a suspended command later in the iRule.
Can someone point out where my escaped newline character might be?
when HTTP_REQUEST {
set URI to lower case
set tmpUri [string tolower [HTTP::uri]]
URI decode the URI
set uri [URI::decode $tmpUri]
repeat decoding until the decoded version equals the previous value.
while { $uri ne $tmpUri } {
set tmpUri $uri
set uri [URI::decode $tmpUri]
}
switch -glob [string tolower [HTTP::uri]] {
"*<*" -
"*>*" -
"*select *" -
"*insert *" -
"*update *" -
"*delete *" -
"*create *" -
"*drop *" -
"*.\[tempdb\].*" -
"*.\[master\].*" -
"*.\[model\].*" -
"*.\[msdb\]." -
"*.\[dbo\].*" -
"*tempdb.*" -
"*master.*" -
"*model.*" -
"*msDB.*" -
"*.dbo.*" -
"*\r\n*" -
"*!*" -
"*%*" {
log local0. "Reject uri: [HTTP::uri]"
Send a TCP reset
reject
}
default {
Do nothing here to use the VIP's default pool
}
}
}
- The_BhattmanHi Nick,
It's the "*\r\n*"
Bhattman 
hooleylistCirrostratus
I'd guess that's actually a false positive from iHealth on the "*\r\n*" switch case. I don't think there is actually a problem with that iRule in relation to CR135937.
SOL11427 describes the issue as being caused by syntax like this:
SOL11427: TMM cores when executing an iRule statement that contains a suspended command preceded by an escaped newline character
http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11427.htmllog local0. "my log statement split \ over two lines with a backslash escaping the new line character!"
You could open a case with F5 Support to report this and get the heuristic checked/fixed.
Aaron- Hi, folks.
I will update the heuristic, which even apart from this FP is a little broad. It doesn't check that the escaped newline is in an event with a suspending command like session or table. Without that suspend, the bug isn't triggered. Possibly the Right Thing is an Info level heuristic for iRules that use escaped newlines, warning that their use with a suspend can trigger a crash, and another High level heuristic that fires when both conditions are present. - hooleylistThanks for that.
Aaron - Got a brief update: just found out that a library routine I was using strips comments from irules before processing them. This is a problem because for this issue, comments are significant. This will take a little more time to fix, sorry for the FP and the false negatives.
