[Varnish] #606: Varnish 2.0.6 -- fix for ESI src= parsing error -- causes a "bogus" character in the URL and a potential memory clobber

Varnish varnish-bugs at projects.linpro.no
Thu Dec 24 20:24:19 CET 2009


#606: Varnish 2.0.6 -- fix for ESI src= parsing error -- causes a "bogus"
character in the URL and a potential memory clobber
-------------------+--------------------------------------------------------
 Reporter:  niz    |        Type:  defect
   Status:  new    |    Priority:  high  
Milestone:         |   Component:  build 
  Version:  trunk  |    Severity:  normal
 Keywords:         |  
-------------------+--------------------------------------------------------
 Hi,

 I thought I would report a bug and what I believe is the fix for an ESI
 src= parsing error in Varnish.


 In cache_vrt_esi.c the terminating '\0' for the "val" part of "attr=val"
 is not set as the last character of the allocated string but rather the
 first byte beyond the allocated string.  This causes an extra bogus
 character to remain in the string and it also clobbers the first byte
 beyond what was allocated.

 The symptom on our system was a periodic extra character in url part of
 the "<esi:include src="url"/> which generated a 404 page not found which
 made it look like the ESI src wasn't resolved.   If, however, the last
 byte memory was already a '\0' or a blank then it would work fine.

 The fix is a one line change to this code (in cache_vrt_esi.c)...

 if ( val.b != val.e ) {
     s = Tlen(val) + 1;
     c = WS_Alloc(ws, s);
     memcpy(c, val.b, Tlen(val));
     val.b = c;
     val.e = val.b + s;     /* note: s length already includes the space of
 '\0' */
     *val.e = '\0';         /* <=== this should be "*(val.e-1) = '\0';" */
 }

 I hope this helps.

 Best,
 /j

-- 
Ticket URL: <http://varnish.projects.linpro.no/ticket/606>
Varnish <http://varnish.projects.linpro.no/>
The Varnish HTTP Accelerator


More information about the varnish-bugs mailing list