[Varnish] #1691: varnish-4.0.3 admits bogus content-length header

Varnish varnish-bugs at varnish-cache.org
Wed Mar 11 13:05:18 CET 2015

#1691: varnish-4.0.3 admits bogus content-length header
 Reporter:  ingvar  |      Owner:
     Type:  defect  |     Status:  new
 Priority:  normal  |  Milestone:
Component:  build   |    Version:  unknown
 Severity:  normal  |   Keywords:
 As seen at http://seclists.org/oss-sec/2015/q1/776:

 While still unable to trig the crash described, varnish seems to accept a
 bogus Content-Length header.

 When backend sets Content-Length to a bougs value, like "dupa" in the oss-
 sec post above, it seems that varnish enters v1f_pull_straight(), while it

 From my IRC log:
 10:47 < phk> ingvar, if you runs something like this against 4.0.3 what do
              get ?  http://phk.freebsd.dk/misc/a.vtc
 10:48 < phk> perbu, did changing the umask help ?
 10:49 < phk> ingvar, this might actually be an off-by one thing...
 10:56 < ingvar> phk: http://fpaste.org/196148/59813651/
 10:59 < phk> ingvar, try putting "non-fatal" in top of the servers s1
 11:00 < ingvar> phk: #     top  TEST tests/a.vtc passed (1.513)
 11:02 < ingvar> phk: I can add verbose output as well, sec
 11:03 < ingvar> phk: http://ur1.ca/jvrka
 11:06 < phk> ingvar, the fact that they're in v1f_pull_straight() means
              the bogus C-L somehow got accepted.
 11:06 < phk> ingvar, I have a really hard time understanding how that

 Consider the test results attached.

 I'm not quite sure I've got this stright, and if this really is a problem,
 why it is not trigged by varnishtest/tests/r01356.vtc

Ticket URL: <https://www.varnish-cache.org/trac/ticket/1691>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list