HEADS-UP: Bug in Varnish 2.1.1 may append junk to objects

Poul-Henning Kamp phk at critter.freebsd.dk
Tue May 4 16:27:47 CEST 2010 

Thanks to Audun Ytterdal, I just fixed a really boneheaded bug I
introduced in Varnish 2.1.1

This will warrant a 2.1.2 release, but because that typically takes
a week or so, I am sending this heads-up to the varnish-announce
list, so those of you who are affected can take evasive action in
the meantime.

If you backend sends chunked encoding (typically only CGI processing)
and delivers objects larger than 128k, you may hit this bug.

To fix this for good, you can apply the one-line patch attached to
the commit message below.

As a workaround, you can increase the "fetch_chunksize" parameter
to be bigger than any object your backend may deliver with chunked
encoding.  Be aware that this will affect storage usage negatively.

Telling your backend to not use chunked encoding (if possible) is
also a water-tight workaround.

My apologies,

Poul-Henning

------------------------------------------------------------------------
Author: phk
Date: 2010-05-04 16:19:05 +0200 (Tue, 04 May 2010)
New Revision: 4758

Added:
   trunk/varnish-cache/bin/varnishtest/tests/r00694.vtc
Modified:
   trunk/varnish-cache/bin/varnishd/cache_response.c
Log:
Fix one of those "nothing can possibly go wrong" bugs that are so
typical of "lets just try to get this into the release" features.

The resent addition of experimental Range: header support, broke
a cornercase in normal content delivery.

If an object was delivered from the backend using chunked encoding,
and was larger than the storage segment size (default: 128k) this
bug may bite.

The effect of the bug is that up to storage segment worth of junk
may be appended to the transmitted object.

This is mostly harmless, because the Content-Length header will make
the browser do the right thing, but certain load-balancers will
go cross-eyed and act really weird at the TCP level, spewing
interesting RST packets to the client.

This bug is only in 2.1.1, not in 2.1.0.

Fixes:			#694
Isolated by:		ay
Fool who did this:	phk


Modified: trunk/varnish-cache/bin/varnishd/cache_response.c
===================================================================
--- trunk/varnish-cache/bin/varnishd/cache_response.c	2010-05-04 13:56:00 UTC (rev 4757)
+++ trunk/varnish-cache/bin/varnishd/cache_response.c	2010-05-04 14:19:05 UTC (rev 4758)
@@ -325,7 +325,7 @@
 		}
 		if (ptr + len > high)
 			/* Chop tail of segment off */
- 			len = 1 + high - low;
+			len = 1 + high - ptr;
 
 		ptr += len;

More information about the varnish-announce mailing list