[master] 23ca54d Add an assert preventing buffer overflows

Martin Blix Grydeland martin at varnish-software.com
Mon Dec 5 13:02:05 CET 2016


commit 23ca54d8727c28b5e93941855b54e6f6fd3dcb8b
Author: Martin Blix Grydeland <martin at varnish-software.com>
Date:   Mon Nov 28 11:56:49 2016 +0100

    Add an assert preventing buffer overflows
    
    Make sure that the workspace can accomodate the pipelined data before
    memmoving it into place.
    
    Add a comment on an open issue in the H2 code path that could trigger
    this assert.

diff --git a/bin/varnishd/cache/cache_session.c b/bin/varnishd/cache/cache_session.c
index 9bcb824..e915712 100644
--- a/bin/varnishd/cache/cache_session.c
+++ b/bin/varnishd/cache/cache_session.c
@@ -196,6 +196,7 @@ HTC_RxInit(struct http_conn *htc, struct ws *ws)
 	if (htc->pipeline_b != NULL) {
 		l = htc->pipeline_e - htc->pipeline_b;
 		assert(l > 0);
+		assert(l <= ws->r - htc->rxbuf_b);
 		memmove(htc->rxbuf_b, htc->pipeline_b, l);
 		htc->rxbuf_e += l;
 		htc->pipeline_b = NULL;
diff --git a/bin/varnishd/http2/cache_http2_proto.c b/bin/varnishd/http2/cache_http2_proto.c
index 54b8a2e..ff3278f 100644
--- a/bin/varnishd/http2/cache_http2_proto.c
+++ b/bin/varnishd/http2/cache_http2_proto.c
@@ -661,6 +661,9 @@ h2_new_ou_session(struct worker *wrk, struct h2_sess *h2,
 	h2->htc->pipeline_e = req->htc->pipeline_e;
 	req->htc->pipeline_b = NULL;
 	req->htc->pipeline_e = NULL;
+	/* XXX: This call may assert on buffer overflow if the pipelined
+	   data exceeds the available space in the aws workspace. What to
+	   do about the overflowing data is an open issue. */
 	HTC_RxInit(h2->htc, wrk->aws);
 
 	/* Start req thread */



More information about the varnish-commit mailing list