Forum Discussion

Nick_T_68319's avatar
Icon for Nimbostratus rankNimbostratus
Jan 07, 2011

iRules containing an escaped newline character can cause TMM to crash.

I submitted my qkview to iHealth and a medium alert showed up for "iRules containing an escaped newline character can cause TMM to crash."



Recommendation resolution

Examine the iRules listed below for suspended commands, and remove all instances of escaped newline characters which precede a suspended command later in the iRule.




Can someone point out where my escaped newline character might be?










set URI to lower case


set tmpUri [string tolower [HTTP::uri]]




URI decode the URI


set uri [URI::decode $tmpUri]




repeat decoding until the decoded version equals the previous value.


while { $uri ne $tmpUri } {


set tmpUri $uri


set uri [URI::decode $tmpUri]






switch -glob [string tolower [HTTP::uri]] {


"*<*" -


"*>*" -


"*select *" -


"*insert *" -


"*update *" -


"*delete *" -


"*create *" -


"*drop *" -


"*.\[tempdb\].*" -


"*.\[master\].*" -


"*.\[model\].*" -


"*.\[msdb\]." -


"*.\[dbo\].*" -


"*tempdb.*" -


"*master.*" -


"*model.*" -


"*msDB.*" -


"*.dbo.*" -


"*\r\n*" -


"*!*" -


"*%*" {


log local0. "Reject uri: [HTTP::uri]"


Send a TCP reset






default {


Do nothing here to use the VIP's default pool










5 Replies

  • I'd guess that's actually a false positive from iHealth on the "*\r\n*" switch case. I don't think there is actually a problem with that iRule in relation to CR135937.

    SOL11427 describes the issue as being caused by syntax like this:

    SOL11427: TMM cores when executing an iRule statement that contains a suspended command preceded by an escaped newline character

    log local0. "my log statement split \
       over two lines with a backslash escaping the new line character!"

    You could open a case with F5 Support to report this and get the heuristic checked/fixed.

  • jimmythegeek_10's avatar
    Historic F5 Account
    Hi, folks.



    I will update the heuristic, which even apart from this FP is a little broad. It doesn't check that the escaped newline is in an event with a suspending command like session or table. Without that suspend, the bug isn't triggered. Possibly the Right Thing is an Info level heuristic for iRules that use escaped newlines, warning that their use with a suspend can trigger a crash, and another High level heuristic that fires when both conditions are present.


  • jimmythegeek_10's avatar
    Historic F5 Account
    Got a brief update: just found out that a library routine I was using strips comments from irules before processing them. This is a problem because for this issue, comments are significant. This will take a little more time to fix, sorry for the FP and the false negatives.