[master] f5c42c6 Return 503 when Vary-headers references header names more than 127 (out limit) characters long.
Martin Blix Grydeland
martin at varnish-cache.org
Tue Mar 19 15:43:19 CET 2013
commit f5c42c6aaf9bdadf58f58dddb2b9e755d12d790b
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date: Mon Mar 18 17:00:57 2013 +0100
Return 503 when Vary-headers references header names more than 127
(out limit) characters long.
Fixes: #1274
Test case by: Dag Haavi Finstad
diff --git a/bin/varnishd/cache/cache_vary.c b/bin/varnishd/cache/cache_vary.c
index d8a84eb..be98201 100644
--- a/bin/varnishd/cache/cache_vary.c
+++ b/bin/varnishd/cache/cache_vary.c
@@ -101,6 +101,13 @@ VRY_Create(struct req *req, const struct http *hp, struct vsb **psb)
for (q = p; *q && !vct_issp(*q) && *q != ','; q++)
continue;
+ if (q - p > INT8_MAX) {
+ VSLb(req->vsl, SLT_Error,
+ "Vary header name length exceeded");
+ error = 1;
+ break;
+ }
+
/* Build a header-matching string out of it */
VSB_clear(sbh);
VSB_printf(sbh, "%c%.*s:%c",
diff --git a/bin/varnishtest/tests/r01274.vtc b/bin/varnishtest/tests/r01274.vtc
new file mode 100644
index 0000000..fe427cc
--- /dev/null
+++ b/bin/varnishtest/tests/r01274.vtc
@@ -0,0 +1,15 @@
+varnishtest "#1274 - panic when Vary field-name is too large to fit in a signed char"
+
+server s1 {
+ rxreq
+ # Vary header more than 127 characters long
+ txresp -hdr "Vary: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+} -start
+
+varnish v1 -vcl+backend { } -start
+
+client c1 {
+ txreq
+ rxresp
+ expect resp.status == 503
+} -run
More information about the varnish-commit
mailing list