r4221 - in trunk/varnish-cache/bin: varnishd varnishtest/tests

phk at projects.linpro.no phk at projects.linpro.no
Wed Sep 2 11:08:24 CEST 2009


Author: phk
Date: 2009-09-02 11:08:24 +0200 (Wed, 02 Sep 2009)
New Revision: 4221

Added:
   trunk/varnish-cache/bin/varnishtest/tests/r00549.vtc
Modified:
   trunk/varnish-cache/bin/varnishd/cache_http.c
Log:
Be much more paranoid about control-characters in backend responses.

Fixes #549



Modified: trunk/varnish-cache/bin/varnishd/cache_http.c
===================================================================
--- trunk/varnish-cache/bin/varnishd/cache_http.c	2009-09-02 09:07:46 UTC (rev 4220)
+++ trunk/varnish-cache/bin/varnishd/cache_http.c	2009-09-02 09:08:24 UTC (rev 4221)
@@ -390,7 +390,7 @@
 http_splitline(struct worker *w, int fd, struct http *hp,
     const struct http_conn *htc, int h1, int h2, int h3)
 {
-	char *p;
+	char *p, *q;
 
 	CHECK_OBJ_NOTNULL(htc, HTTP_CONN_MAGIC);
 	CHECK_OBJ_NOTNULL(hp, HTTP_MAGIC);
@@ -403,40 +403,47 @@
 		continue;
 
 	/* First field cannot contain SP, CRLF or CTL */
-	hp->hd[h1].b = p;
-	for (; !vct_issp(*p); p++)
+	q = p;
+	for (; !vct_issp(*p); p++) {
 		if (vct_isctl(*p))
 			return (400);
+	}
+	hp->hd[h1].b = q;
 	hp->hd[h1].e = p;
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
-	/* Second field cannot contain LWS */
-	hp->hd[h2].b = p;
-	for (; !vct_islws(*p); p++)
-		;
+	/* Second field cannot contain LWS or CTL */
+	q = p;
+	for (; !vct_islws(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
+	hp->hd[h2].b = q;
 	hp->hd[h2].e = p;
 
 	if (!Tlen(hp->hd[h2]))
 		return (400);
 
 	/* Skip SP */
-	for (; vct_issp(*p); p++)
-		;
+	for (; vct_issp(*p); p++) {
+		if (vct_isctl(*p))
+			return (400);
+	}
 
 	/* Third field is optional and cannot contain CTL */
+	q = p;
 	if (!vct_iscrlf(*p)) {
-		hp->hd[h3].b = p;
 		for (; !vct_iscrlf(*p); p++)
 			if (vct_isctl(*p))
 				return (400);
-		hp->hd[h3].e = p;
-	} else {
-		hp->hd[h3].b = p;
-		hp->hd[h3].e = p;
 	}
+	hp->hd[h3].b = q;
+	hp->hd[h3].e = p;
 
 	/* Skip CRLF */
 	p += vct_skipcrlf(p);

Added: trunk/varnish-cache/bin/varnishtest/tests/r00549.vtc
===================================================================
--- trunk/varnish-cache/bin/varnishtest/tests/r00549.vtc	                        (rev 0)
+++ trunk/varnish-cache/bin/varnishtest/tests/r00549.vtc	2009-09-02 09:08:24 UTC (rev 4221)
@@ -0,0 +1,15 @@
+# $Id$
+
+# Regression test for bad backend reply with ctrl char.
+
+server s1 {
+	rxreq
+	send "HTTP/1.1 200 OK\013\r\n\r\nTest"
+} -start
+
+varnish v1 -vcl+backend {} -start
+
+client c1 {
+	txreq
+	rxresp
+} -run



More information about the varnish-commit mailing list