[Varnish] #1691: varnish-4.0.3 admits bogus content-length header
Varnish
varnish-bugs at varnish-cache.org
Wed Mar 11 13:05:18 CET 2015
#1691: varnish-4.0.3 admits bogus content-length header
--------------------+---------------------
Reporter: ingvar | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: build | Version: unknown
Severity: normal | Keywords:
--------------------+---------------------
As seen at http://seclists.org/oss-sec/2015/q1/776:
While still unable to trig the crash described, varnish seems to accept a
bogus Content-Length header.
When backend sets Content-Length to a bougs value, like "dupa" in the oss-
sec post above, it seems that varnish enters v1f_pull_straight(), while it
shouldn't.
From my IRC log:
10:47 < phk> ingvar, if you runs something like this against 4.0.3 what do
you
get ? http://phk.freebsd.dk/misc/a.vtc
10:48 < phk> perbu, did changing the umask help ?
10:49 < phk> ingvar, this might actually be an off-by one thing...
(...)
10:56 < ingvar> phk: http://fpaste.org/196148/59813651/
10:59 < phk> ingvar, try putting "non-fatal" in top of the servers s1
stuff
11:00 < ingvar> phk: # top TEST tests/a.vtc passed (1.513)
11:02 < ingvar> phk: I can add verbose output as well, sec
11:03 < ingvar> phk: http://ur1.ca/jvrka
11:06 < phk> ingvar, the fact that they're in v1f_pull_straight() means
that
the bogus C-L somehow got accepted.
11:06 < phk> ingvar, I have a really hard time understanding how that
happened.
Consider the test results attached.
I'm not quite sure I've got this stright, and if this really is a problem,
why it is not trigged by varnishtest/tests/r01356.vtc
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1691>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
More information about the varnish-bugs
mailing list