[master] bcd514d Fix two bugs in ACL compile code.

Poul-Henning Kamp phk at varnish-cache.org
Tue Jun 11 12:19:52 CEST 2013


commit bcd514d3ffdf24ed3fd1253679deca62ce2cf1aa
Author: Poul-Henning Kamp <phk at FreeBSD.org>
Date:   Tue Jun 11 10:19:09 2013 +0000

    Fix two bugs in ACL compile code.
    
    Fixes	#1312
    
    See Also:	CVE-2013-4090

diff --git a/bin/varnishtest/tests/r01312.vtc b/bin/varnishtest/tests/r01312.vtc
new file mode 100644
index 0000000..05003ea
--- /dev/null
+++ b/bin/varnishtest/tests/r01312.vtc
@@ -0,0 +1,28 @@
+varnishtest "acl miscompile"
+
+server s1 {
+	rxreq
+	txresp
+} -start
+
+varnish v1 -vcl+backend {
+	acl foo {
+		"127.0.0.2";
+		"127.0.1"/19;
+	}
+	acl bar {
+		"127.0.1.2";
+		"127.0.1"/19;
+	}
+	sub vcl_deliver {
+		set resp.http.ACLfoo = client.ip ~ foo;
+		set resp.http.ACLbar = client.ip ~ bar;
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.http.aclfoo == true
+	expect resp.http.aclbar == true
+} -run
diff --git a/lib/libvcl/vcc_acl.c b/lib/libvcl/vcc_acl.c
index 9c9e117..eb3bace 100644
--- a/lib/libvcl/vcc_acl.c
+++ b/lib/libvcl/vcc_acl.c
@@ -381,7 +381,7 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon)
 	VTAILQ_FOREACH(ae, &tl->acl, list) {
 
 		/* Find how much common prefix we have */
-		for (l = 0; l <= depth && l * 8 < ae->mask; l++) {
+		for (l = 0; l <= depth && l * 8 < ae->mask - 7; l++) {
 			assert(l >= 0);
 			if (ae->data[l] != at[l])
 				break;
@@ -392,11 +392,11 @@ vcc_acl_emit(const struct vcc *tl, const char *acln, int anon)
 		while (l <= depth) {
 			Fh(tl, 0, "\t%*s}\n", -depth, "");
 			depth--;
-			oc = "else ";
 		}
 
 		m = ae->mask;
 		m -= l * 8;
+		assert(m >= 0);
 
 		/* Do whole byte compares */
 		for (i = l; m >= 8; m -= 8, i++) {



More information about the varnish-commit mailing list